Software Packing
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code. Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.
Observed actors
G0082Elderwood
G0066GALLIUM
G0093APT3
G0022Kimsuky
G0094Volt Typhoon
G1017Patchwork
G0040APT41
G0096TeamTNT
G0139Sandworm Team
G0034ZIRCONIUM
G0128Rocke
G0106APT39
G0087TA2541
G1018Aoqin Dragon
G1007The White Company
G0089Saint Bear
G1031MoustachedBouncer
G1019TA505
G0092APT29
G0016Dark Caracal
G0070Ember Bear
G1003Lazarus Group
G0032Threat Group-3390
G0027