Fast Feed

Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation

1 min read

Summary

  • A new Packer-as-a-Service (PaaS) called HeartCrypt has appeared on underground forums, which uses legitimate binaries as hosts for malicious code, so that malware can evade AV detection.
  • Unit 42 discovered the service in July 2023, and it began appearing in the wild in February 2024: it is now used in hundreds of malware campaigns and by at least 45 different malware families.
  • HeartCrypt packs the malicious code by adding position-independent code (PIC) as a resource to a legitimate binary, and then hijacking the control flow to execute the packed code.
  • It employs multiple layers of obfuscation and encoding within the PICs, making analysis extremely challenging.
  • Furthermore, the service provides generic AV evasion techniques as part of the packing service.
  • Customers can tailor the final payload to their intended target, and can submit payloads for packing via Telegram.
  • This lowers the barrier to entry for malware operators, increasing the volume and success of infections.
  • Unit 42 has published a detection signature for HeartCrypt, and has identified over 2,000 malicious samples to date.
  • The article contains extensive technical analysis, with many useful images to explain the complex packing mechanism.

Original Article