Researchers at Kaspersky have released a technical analysis report detailing a malware packer named Loncom. This packer uses NSIS software for packing and loading shellcode and has been seen loading malware used by Advanced Persistent Threat (APT) groups. Microsoft’s Crypto API is used to decrypt the final payload.
Through a series of exclusive- or (XOR)-based block decryptions, the shellcode slowly unpacks itself as it runs. Eventually, after loading libraries, Loncom decrypts the final payload using AES-256. According to Kaspersky researchers, payloads include:
- Mokes – AKA SmokeLoader, a malware loader
- Buerak – Another malware downloader
- DarkVNC – A VNC-based backdoor
- REvil – Ransomware also known as Sodinokibi
Kaspersky saw evidence of Cobalt Strike (a penetration testing and attack simulation framework often used by threat actors) used with the Loncom Packer.
Packers are frequently used by threat actors to disguise well-known malware programs that otherwise would be detected by anti-virus. When a packer enables malware to evade all common anti-virus solutions, it is described by threat actors as “fully undetectable” or “FUD.” While files protected by this packer can be difficult for anti-virus products, detecting the malware payloads after they have been loaded by this packer can be done through Endpoint Detection and Response (EDR) monitoring of workstations and servers for unusual program behavior that indicates an attack. From an analyst’s standpoint, tracking packers such as Loncom is incredibly useful to see what threat actors are using the packer and to discover new malware payloads.