Themida Packed

0 views
Skip to first unread message

Shinyoung Gedris

unread,
Aug 3, 2024, 12:09:08 PM8/3/24
to foncmadtale

Close Topics Topics Cybersecurity Best Practices Cyber Threats and Advisories Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events News Events Cybersecurity Alerts & Advisories Directives Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks HireVue Applicant Reasonable Accommodations Process Hiring Resume & Application Tips Students & Recent Graduates Veteran and Military Spouses Work @ CISA About About Culture Divisions & Offices Regions Leadership Doing Business with CISA Site Links Reporting Employee and Contractor Misconduct CISA GitHub CISA Central 2023 Year In Review Contact Us Free Cyber Services#protect2024Secure Our WorldShields UpReport A Cyber Issue

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see -cert.gov/tlp.

This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as SLICKSHOES. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.



DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.



This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.



This sample is a Themida-packed dropper that decodes and drops a file "C:\Windows\Web\taskenc.exe" which is a Themida-packed beaconing implant. The beaconing implant does not execute the dropped file nor does it schedule any tasks to run the malware. The dropped beaconing implant uses an indigenous network encoding algorithm and is capable of many features including conducting system surveys, file upload/download, process and command execution, and screen captures.

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or s...@us-cert.gov.

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

I have a dll that I'm applying some protections to, but when I do the protection with themida I always open the executable I get error 0xc0000005 if I go back to the normal dll without themida protection the executable opens normally.

You should pack your executable and use the XBundler feature of Themida to embed your packed DLL. If that doesn't suit your needs you need to use "Protect as DLL Plugin" to increase compatibility with host applications if you're injecting your DLL

i need to protect my driver and application - i need good performance and virtualization i saw some opinions about VMProtect and Themida some people said VMProtect is not good (is not hard to devirtualize) and themida is better in virtualization than vmprotect

Haven't seen so far unpacked or devirtualized driver of any protector above. So far as far as i know exist only dynamic devirtualizers which don't see how will work in kernel mode. Only static devirtualizer for kernel mode would work but not sure any of this exists.

You can run Themida on a .sys file, and it will do some impressive stuff and make it a few MB bigger, but after it's finished the output driver will import from kernel32.dll and user32.dll. Good luck with that.

VMProtect is the only option that has actual first class support for kernel mode drivers. Beware that its anti-debug (meaning anti-kernel debugger) is a bit of a joke IMO, definitely when compared to its user mode counterpart. But VMProtect is absolutely not easy to devirtualize, contrary to what people may have told you, so in the end you might be able to bypass the anti-debug protection in about an hour but it won't really help you in any way at all because that's not where the difficulty lies.

VMProtect's obfuscation is a joke. Dead-code elimination will give you semi-original code. Minor stack optimization tweaks and a few constant foldings will get you the original. The handlers are super small and easily pattern-scannable. Very easy VM to devirtualize - took me less than a week to write a devirtualizer for VMProtect (working on it only in my spare time).

Themida's obfuscation is pretty rough. Also, Themida has 3 different engines for their newest generation of VMs. To fully devirtualize the newer Themida (and to support all executables), you must do the following:

While this all sounds very impressive, since the topic was about drivers, I'm going to stick with the protector that generates .sys files that do not import from user mode DLLs. Are you serious?

It was mostly in response to the "But VMProtect is absolutely not easy to devirtualize, contrary to what people may have told you, so in the end you might be able to bypass the anti-debug protection in about an hour but it won't really help you in any way at all because that's not where the difficulty lies."

However, I have never attempted (de)virtualization of drivers, nor even protection of drivers in general, so I wouldn't know too much about the subject. However, I do agree that importing usermode system files into kernelmode space seems way too exploitable.

c80f0f1006
Reply all
Reply to author
Forward
0 new messages