Researchers at Kaspersky have released a technical analysis report detailing a malware packer named Loncom. This packer uses NSIS software for packing and loading shellcode and has been seen loading malware used by Advanced Persistent Threat (APT) groups. Microsoft’s Crypto API is used to decrypt the final payload.
Through a series of exclusive- or (XOR)-based block decryptions, the shellcode slowly unpacks itself as it runs. Eventually, after loading libraries, Loncom decrypts the final payload using AES-256. According to Kaspersky researchers, payloads include:
- Mokes – AKA SmokeLoader, a malware loader
- Buerak – Another malware downloader
- DarkVNC – A VNC-based backdoor
- REvil – Ransomware also known as Sodinokibi
Kaspersky saw evidence of Cobalt Strike (a penetration testing and attack simulation framework often used by threat actors) used with the Loncom Packer.