Unpacking the unpleasant FIN7 gift: PackXOR
Sept. 17, 2024, 11:28 a.m.
Description
This analysis delves into PackXOR, a private packer associated with FIN7's AvNeutralizer tool. PackXOR employs a two-section structure with XOR encryption and LZNT1 compression. The packer utilizes Run-Time Dynamic Linking and encrypts API function names. Notably, PackXOR has been observed packing various payloads beyond AvNeutralizer, including XMRig cryptominer and data exfiltration tools. This suggests its usage extends beyond FIN7 operations. The article provides a detailed breakdown of the packer's logic, string encryption methods, and usage patterns. Additionally, an unpacker tool is introduced to assist the cybersecurity community in analyzing PackXOR-packed malware.
Tags
Date
- Created: Sept. 17, 2024, 11:19 a.m.
- Published: Sept. 17, 2024, 11:19 a.m.
- Modified: Sept. 17, 2024, 11:28 a.m.
Indicators
- f15e6ff7f1ba8f7aad1adb88300a5ea367d6b5388f41d602f978d2885aa2ed38
- e3505901fd44c8f6597ca9c512375b6ecbf3dc21dbae3d373318c99929d62091
- dcc7fd38fced82cc04cb6fa0d189d2924163494e542f6c516e6588c110ab7554
- cf1d985a33b39d332d4bac33d971a004dcd18cea82ff1b291c6a5046e073414d
- b86612a6d62a1789031248bdb732b8bff51acaeaa687c3559f0980560a8abf2f
- 632b068e1b8fbc54eb0b30f01455c73396deb5f8e3bbd3b171fb69b6936a6019
- 56af567979acaec20bab9a36064ee5f31b96fceaa5487f6ba2db9ff6360d9a51
- 42ca0d62a9516cbf4a1ffcd9097d2f2c3b135f82b1c07adf586ef5b23ce96197
- 40a8ffc5bbcb3befc90f269e32ab96b3ff32768f1fc0317a00f86f9b1161cdeb
- 146c68ca89b8b0378c2c6fb978892aace0235c7038879e85b3764556b0dbf2a5
- 1428e14c9c86e8f068e37efc11190ee16f2cdb9bc808308c5450389ee2893c10
- 0506372e2c2b6646c539ac5a08265dd66d0da58a25545e444c25b9a02f8d9a44
Attack Patterns
- R77 rootkit
- AvNeutralizer
- XMRig
- FIN7
- T1027.002
- T1497
- T1129
- T1106
- T1055
- T1140
- T1027