Afonso Infante's AI & Cybersecurity Blog

Demystifying AI and Cybersecurity: Insights from an Industry Expert

Crypted Hearts: Unpacking the HeartCrypt Malware-as-a-Service

The cybersecurity landscape is constantly evolving, with new threats emerging at an alarming rate. One such threat that has recently surfaced is HeartCrypt, a sophisticated packer-as-a-service (PaaS) operation meticulously designed to obfuscate malware and evade detection. This blog post delves into the intricacies of HeartCrypt, exploring its inner workings, the threat it poses, and how to protect yourself.

What is HeartCrypt?

HeartCrypt is a relatively new PaaS that has been under development since July 2023 and officially launched in February 2024 . Its primary function is to “pack” malicious code into seemingly benign executable files, making it harder for traditional antivirus software to detect the threat . This technique allows the malware to disguise itself as a legitimate application, effectively hiding in plain sight and increasing the likelihood of successful infection. HeartCrypt was initially discovered through underground forums and reports by security researchers , highlighting the clandestine nature of its development and distribution. This service is offered to cybercriminals on underground forums and through Telegram, charging $20 per file to pack, and supports both Windows x86 and .NET payloads .  

How HeartCrypt Works

HeartCrypt employs a multi-layered approach to conceal malware, making it challenging for security researchers to analyze and understand its behavior. Imagine a series of nested boxes, each with its own lock and key. To get to the actual malicious code, you need to unlock each box one by one. This is essentially how HeartCrypt operates.

The process begins with injecting malicious code into a legitimate executable file. This modified file then undergoes a three-step transformation :  

  1. Code Injection: A block of position-independent code (PIC), which can execute from any memory location, is inserted into the binary’s .text section. Think of this as adding a hidden compartment to an existing program.
  2. Control Flow Hijacking: The normal execution flow of the original binary is altered, typically by modifying the entry point to redirect execution to the malicious PIC. This is like changing the program’s instructions to make it run the hidden compartment’s code first.
  3. Resource Addition: Several resources, disguised as BMP image files, are added to the binary. Each resource plays a specific role in executing the malware. These resources are like hidden compartments within the hidden compartment, each containing a piece of the puzzle.

The injected PIC utilizes various control flow obfuscation techniques, such as non-returning functions, stack strings, dynamic API resolution, and numerous direct jump instructions . This makes it incredibly difficult for security researchers to analyze the code, both statically and dynamically. Imagine trying to follow a set of instructions that constantly jump around and lead you in circles. This is the level of complexity introduced by HeartCrypt’s obfuscation techniques.  

The PIC itself consists of two layers, with an encoded block wrapped in a decryption routine. The first layer uses specific byte patterns to identify the start and end of the encoded block, performs a substitution operation on each byte, and then passes execution to the decrypted block . The decrypted block, employing the same obfuscation techniques, iterates through the added resources and executes the code within each one.  

Each resource contains PIC disguised as a BMP image file. This starts with a standard BMP header, followed by a repeating hexadecimal pattern for padding, and then the actual PIC . The PIC within each resource also has two layers with similar obfuscation techniques. These resources perform various functions, including:  

  • Sandbox Detection: The first resource attempts to load non-existent DLLs to detect if the code is running in a sandbox environment, a controlled environment used by security researchers to analyze malware.
  • Anti-Emulation: The second resource performs a series of mathematical calculations to check if the code’s execution loop has been emulated or modified, further hindering analysis.
  • Windows Defender Evasion: The third resource leverages virtual DLLs to detect and evade Windows Defender’s emulator, a component of the security software that simulates the execution of code to identify malicious behavior.
  • Payload Decryption and Injection: The fourth resource decrypts the final payload, which is stored in another resource as an encoded executable. It then injects this payload into a running process using techniques like process hollowing, where the malicious code replaces the legitimate code of a running program.
  • Persistence: The fifth resource, present in some samples, establishes persistence on the infected system by creating a registry key that automatically launches the malware upon startup. This ensures that the malware remains active even after the computer is restarted.

It’s important to note that while each resource generally performs a specific function, the fifth resource (persistence) is optional and not present in every HeartCrypt sample .  

Who is Behind HeartCrypt and Why?

Unfortunately, the specific threat actors behind HeartCrypt remain unidentified . However, given the sophistication and the PaaS model, it’s likely that a group with significant technical expertise and resources is operating this service. Their motives are likely financial, as the majority of HeartCrypt’s customers are malware operators involved in information theft, espionage, and other malicious activities . HeartCrypt has been observed packing a wide variety of malware families, including LummaStealer, Remcos, and Rhadamanthys , indicating its widespread use in the cybercrime ecosystem.  

Detecting and Preventing HeartCrypt Infections

While HeartCrypt presents a significant challenge to traditional security measures, there are ways to detect and prevent infections. Palo Alto Networks offers products and services like Cortex XDR, XSIAM, and Advanced WildFire that provide enhanced protection against such threats .  

In addition to utilizing robust security solutions, proactive threat hunting is crucial for identifying and mitigating HeartCrypt infections . This involves actively searching for indicators of compromise, such as unique byte patterns and packer characteristics, to detect obfuscated malware.  

Here are some general best practices for preventing malware infections :  

  • Keep your software updated: Regularly update your operating system and applications to patch security vulnerabilities that malware could exploit.
  • Educate yourself about common threats: Learn to recognize phishing scams, social engineering tactics, and other common malware delivery methods.
  • Back up your data: Regularly back up your important data to an external device or cloud storage to minimize the impact of a potential malware infection.

Conclusion

HeartCrypt is a prime example of how cybercriminals are constantly evolving their tactics to evade detection and maximize their impact. Its PaaS model lowers the barrier to entry for malware operators, making it easier for them to spread their malicious creations and potentially increase the volume and success of infections . This highlights the growing need for advanced security measures and proactive defense strategies to combat the evolving threat landscape. By understanding how HeartCrypt works and employing appropriate security measures, individuals and organizations can better protect themselves from this emerging threat.

— Afonso Infante (afonsoinfante.link)

Leave a Reply

Your email address will not be published. Required fields are marked *