Breaking the AutoIt packers – Check Point packs a punch

Published December 12th, 2019

In our day to day work, we’re constantly analyzing new executable files which have been seen in the wild in order to identify new threats for our customers.

Why executable files out of all the file types?

An attack can arrive through many different ways – a phishing email with a document attached, drive-by from the web, lateral movement from the internal network and many more.

But the cyber threat and the potential biggest impact is determined by whether there’s a code execution on a victim’s machine, and this is where we want to focus.

Check Point researchers encountered numerous malicious executable files which seemed to have a common denominator – they were packed with a tool that tried to hide the underlying malicious payload.

Further research led to the understanding that these files were encrypted using AutoIt packers, and led us to CypherIT – a public service by a supposedly legitimate company which offers file encryption over the web, for whoever looking to protect their application.

So, who is using this service?

Check Point Telemetry:

Our rich telemetry revealed a troubling fact – all CypherIT encrypted files which were viewed on emails were malicious. Almost one fifth (18%) of all executable files that arrived by email and seen during Q3 2019 were encrypted using CypherIT.

Check Point’s unique advantage

Our researchers came to a meaningful breakthrough which gave our product a great edge and a security boost. We wrote a code to reverse the multi stage encryption, allowing us to reveal the hidden malware under each encrypted file and increase the classification of threats in our products. In fact, we encountered more than 20 different malware families inside these files.

These malware are extremely dangerous once they infect a machine, and here are just a few examples of the abilities of top malware we’ve seen hiding under the CypherIT wrapping –

  1. NanoCore – a remote access trojan which has functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.
  2. Stampado – a ransomware as a service, which when executed, will modify the data on the victim’s computer so that the victim can no longer use the data.
  3. Remcos – a remote access trojan designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges and harvest passwords.
  4. AgentTesla – an advanced remote access trojan which functions as a keylogger and password stealer, that can monitor and collect the victim’s keyboard input, system clipboard, record screenshots, and exfiltrate credentials belonging to a variety of software installed on a victim’s machine.

A video which demonstrate our reversing capabilities while extracting the original malicious payload.

Powering Check Point protections

Check Point research tools tore apart the packer’s defense, removing the encryption layer and leaving the malicious core exposed.

After we broke these packed samples, we used the decrypted data to enrich Check Point SandBlast Zero-Day Protection solution to deal with these new threats. The innovative zero-day threat emulation capability within the SandBlast solution delivers the best possible catch rate for these threats.

For deeper analysis and more information, visit our Check Point Research technical blog.