Description
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)
Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)
Platforms
Mitigations (1)
Antivirus/AntimalwareM1049
Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware.
Threat Groups (23)
| ID | Group | Context |
|---|---|---|
| G0089 | The White Company | [The White Company](https://attack.mitre.org/groups/G0089) has obfuscated their payloads through packing.(Citation: Cylance Shaheen Nov 2018) |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has used a .NET packer to obfuscate malicious files.(Citation: Cisco Operation Layover September 2021) |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) uses packers such as Themida to obfuscate malicious files.(Citation: Rostovcev APT41 2021) |
| G0070 | Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070) has used UPX to pack [Bandook](https://attack.mitre.org/software/S0234).(Citation: Lookout Dark ... |
| G1007 | Aoqin Dragon | [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has used the Themida packer to obfuscate malicious payloads.(Citation: SentinelOne Aoqin Dragon ... |
| G1019 | MoustachedBouncer | [MoustachedBouncer](https://attack.mitre.org/groups/G1019) has used malware plugins packed with Themida.(Citation: MoustachedBouncer ESET August 2023) |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has packed tools with UPX, and has repacked a modified version of [Mimikatz](https://attack.mitre.org/s... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used UPX to obscure malicious code.(Citation: IBM TA505 April 2020) |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used the Ultimate Packer for Executables (UPX) to obfuscate the FRP client files Brightmetr... |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) packed some payloads using different types of packers, both known and custom.(Citation: Cybereason So... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has used UPX and Ezuri packer to pack its binaries.(Citation: Trend Micro TeamTNT) |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their i... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106)'s miner has created UPX-packed files in the Windows Start Menu Folder.(Citation: Talos Rocke August 201... |
| G0040 | Patchwork | A [Patchwork](https://attack.mitre.org/groups/G0040) payload was packed with UPX.(Citation: Securelist Dropping Elephant) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has packed malware with UPX.(Citation: Malwarebytes Kimsuky June 2021) |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used multi-stage packers for exploit code.(Citation: Check Point APT31 February 2021) |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has packed the code of dropped kernel drivers using the packer ASM Guard.(Citation: Palo Alto Un... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has used Themida to pack [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citati... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has packed malware and tools, including using VMProtect.(Citation: Trend Micro DRBControl F... |
| G1031 | Saint Bear | [Saint Bear](https://attack.mitre.org/groups/G1031) clones .NET assemblies from other .NET binaries as well as cloning code signing certificates from ... |
Associated Software (73)
| ID | Name | Type | Context |
|---|---|---|---|
| S0588 | GoldMax | Malware | [GoldMax](https://attack.mitre.org/software/S0588) has been packed for obfuscation.(Citation: FireEye SUNSHUTTLE Mar 2021) |
| S0447 | Lokibot | Malware | [Lokibot](https://attack.mitre.org/software/S0447) has used several packing methods for obfuscation.(Citation: Infoblox Lokibot January 2019) |
| S0625 | Cuba | Malware | [Cuba](https://attack.mitre.org/software/S0625) has a packed payload when delivered.(Citation: McAfee Cuba April 2021) |
| S0257 | VERMIN | Malware | [VERMIN](https://attack.mitre.org/software/S0257) is initially packed.(Citation: Unit 42 VERMIN Jan 2018) |
| S0020 | China Chopper | Malware | [China Chopper](https://attack.mitre.org/software/S0020)'s client component is packed with UPX.(Citation: Lee 2013) |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) contains multiple payloads that are packed for defense evasion purposes and unpacked on run... |
| S0565 | Raindrop | Malware | [Raindrop](https://attack.mitre.org/software/S0565) used a custom packer for its [Cobalt Strike](https://attack.mitre.org/software/S0154) payload, whi... |
| S1196 | Troll Stealer | Malware | [Troll Stealer](https://attack.mitre.org/software/S1196) has been delivered as a VMProtect-packed binary.(Citation: S2W Troll Stealer 2024)(Citation: ... |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) uses a custom packer.(Citation: Symantec Waterbug)(Citation: Joint Cybersecurity Advisory AA23-129... |
| S0543 | Spark | Malware | [Spark](https://attack.mitre.org/software/S0543) has been packed with Enigma Protector to obfuscate its contents.(Citation: Unit42 Molerat Mar 2020) |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) has used .NET packer tools to evade detection.(Citation: Red Canary NETWIRE January 2020) |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409) has been packed with NSIS.(Citation: ESET Machete July 2019) |
| S0622 | AppleSeed | Malware | [AppleSeed](https://attack.mitre.org/software/S0622) has used UPX packers for its payload DLL.(Citation: Malwarebytes Kimsuky June 2021) |
| S0187 | Daserf | Malware | A version of [Daserf](https://attack.mitre.org/software/S0187) uses the MPRESS packer.(Citation: Trend Micro Daserf Nov 2017) |
| S0281 | Dok | Malware | [Dok](https://attack.mitre.org/software/S0281) is packed with an UPX executable packer.(Citation: hexed osx.dok analysis 2019) |
| S0356 | KONNI | Malware | [KONNI](https://attack.mitre.org/software/S0356) has been packed for obfuscation.(Citation: Malwarebytes KONNI Evolves Jan 2022) |
| S1202 | LockBit 3.0 | Malware | [LockBit 3.0](https://attack.mitre.org/software/S1202) can use code packing to hinder analysis.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation... |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) uses a software packer called Pe123\RPolyCryptor.(Citation: Cybereason Astaroth Feb 2019) |
| S0094 | Trojan.Karagany | Malware | [Trojan.Karagany](https://attack.mitre.org/software/S0094) samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delph... |
| S0182 | FinFisher | Malware | A [FinFisher](https://attack.mitre.org/software/S0182) variant uses a custom packer.(Citation: FinFisher Citation)(Citation: Securelist BlackOasis Oct... |
References
- Alexandre D'Hondt. (n.d.). Awesome Executable Packing. Retrieved March 11, 2022.
- Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019.
Frequently Asked Questions
What is T1027.002 (Software Packing)?
T1027.002 is a MITRE ATT&CK technique named 'Software Packing'. It belongs to the Stealth tactic(s). Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable ch...
How can T1027.002 be detected?
Detection of T1027.002 (Software Packing) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.002?
There are 1 documented mitigations for T1027.002. Key mitigations include: Antivirus/Antimalware.
Which threat groups use T1027.002?
Known threat groups using T1027.002 include: The White Company, TA2541, APT41, Dark Caracal, Aoqin Dragon, MoustachedBouncer, APT39, TA505.