Threat Research

Analyzing the Unwelcome FIN7 PackXOR Threat

Harfanglab

In July 2024, Sentinel Labs detailed the “FIN7 reboot” tooling, highlighting AvNeutralizer, an anti-EDR tool, and its private packer PackXOR. The analysis shows PackXOR’s broader use beyond FIN7, including obfuscating payloads such as XMRig and the R77 rootkit, with an unpacker tool released on GitHub for the community. #FIN7 #AvNeutralizer #PackXOR #XMRig #R77Rootkit #SilentCryptoMiner #HiddenMalwareBuilder #xssis #exploitin #RAMP #SentinelLabs

Keypoints

  • AvNeutralizer is an anti-EDR tool used by FIN7 to terminate endpoint detection software using vulnerable drivers from the kernel.
  • PackXOR is a private packer associated with AvNeutralizer that obfuscates and conceals payloads, and may be used for payloads beyond FIN7.
  • AvNeutralizer/PackXOR have been traded on underground forums since 2022, including xss.is, exploit.in, and RAMP, linking them to FIN7.
  • Sentinel Labs provides an unpacker for PackXOR on GitHub and explains the two-XOR-iteration and LZNT1-based unpacking process.
  • PackXOR uses a 40-byte header with two XOR keys to structure packed data located in the PE .data section, and performs a two-step XOR/decompression sequence.
  • In practice, PackXOR has been observed packing multiple payloads (e.g., XMRig cryptominer, R77 rootkit) and, in some cases, other obfuscation layers such as SilentCryptoMiner and Hidden Malware Builder.

MITRE Techniques

  • [T1055] Process Injection – AvNeutralizer uses vulnerable drivers to terminate EDR processes from the kernel. “AvNeutralizer uses vulnerable drivers to terminate EDR processes from the kernel.”
  • [T1027] Obfuscated Files or Information – PackXOR is used to obfuscate payloads, hindering analysis and detection. “PackXOR is used to obfuscate payloads, hindering analysis and detection.”
  • [T1045] Software Packing – PackXOR compresses and encrypts malicious payloads to conceal them. “PackXOR compresses and encrypts malicious payloads to conceal them.”

Indicators of Compromise

  • [SHA-256] context – Packed/Unpacked PackXOR payloads – 0506372e2c2b6646c539ac5a08265dd66d0da58a25545e444c25b9a02f8d9a44, cf1d985a33b39d332d4bac33d971a004dcd18cea82ff1b291c6a5046e073414d, and 1 more hash
  • [File name] context – 050637.exe, 050637_unpacked.exe
  • [URL] context – https://github.com/HarfangLab/iocs/tree/main/packxor, https://github.com/HarfangLab/iocs/tree/main/packxor/unpacker_packXOR.py
  • [Domain] context – xss.is, exploit.in, and RAMP

Read more: https://harfanglab.io/insidethelab/unpacking-packxor/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint