HeartCrypt

The process trace indicates that the initial infection could be related to the zero-day RCE exploits... which affected ConnectWise and BeyondTrust products.

This infection chain starts with a phishing email... This email claims to be from an Italian lawyer contacting the recipient about alleged copyright infringement... The malicious content was hosted on a Google Drive in a password-protected ZIP archive; the password was included in the phishing email.

When clicked on the link to the PDF document, the following shortened URL is opened... This redirects to the following Dropbox download... The message also contains a well-hidden download link — in this case the dot at the end of the text.

This PowerShell command downloads and executes another PowerShell script... This script downloads two further files.

To modify the registry, HeartCrypt uses either Windows API functions or the reg add command via cmd.exe.

Secondly, HeartCrypt hijacks the control flow within the original binary. This is most often achieved by altering the start() function, the entry point for many executables. The modification typically involves adding a call or jmp instruction which redirects execution to the newly added PIC.

To modify the registry, HeartCrypt uses either Windows API functions or the reg add command via cmd.exe.

the code uses API functions such as CreateProcessW... to load and execute the final payload.

The fifth resource appears to be optional... Its purpose is to establish persistence on the system using the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key... It then sets the CurrentVersion\Run key to point to this file.

The identified cases of these campaigns were targeting Italian victims and feature a LNK shortcut file, PowerShell, and batch scripts in the infection chain... The shortcut file has the icon of a PDF file, but it really executes a PowerShell command.

the code uses API functions such as CreateProcessW, VirtualAlloc, GetThreadContext, NtCreateThreadEx, and CreateRemoteThread to load and execute the final payload.

While process hollowing is the primary method of injection, we have identified a sample that references NtQueueApcThread, suggesting that the developer has invested effort into diversifying the injection methods.

If the packed sample is .NET, HeartCrypt will attempt to launch csc.exe (or in some cases AppLaunch.exe) from the Microsoft .NET Framework directory. It then performs process hollowing on the spawned process, injecting and executing the final payload within it. If the sample is not a .NET assembly, HeartCrypt spawns a copy of itself and injects the final payload using a similar process hollowing technique.

the code uses API functions such as CreateProcessW... to load and execute the final payload.

The fifth resource appears to be optional... Its purpose is to establish persistence on the system using the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key... It then sets the CurrentVersion\Run key to point to this file.

The identified cases of these campaigns were targeting Italian victims and feature a LNK shortcut file, PowerShell, and batch scripts in the infection chain... The shortcut file has the icon of a PDF file, but it really executes a PowerShell command.

The injected PIC leverages multiple control flow obfuscation methods to hinder analysis. These include: Stack strings Dynamic API resolution Hundreds of direct jmp instructions Non-returning functions Arithmetic operations that have no effect on program execution Junk bytes after jmp and call instructions, impeding disassembly and decompilation

HeartCrypt was originally discovered through underground forums... it has been used to pack over 2,000 malicious payloads... The packed payload was consistently added as a resource to a legitimate binary... Each resource embedded in the binary contains PIC disguised as a bitmap (BMP) image file. This begins with a standard BMP header followed by a repeating hexadecimal pattern for padding.

The injected PIC leverages multiple control flow obfuscation methods to hinder analysis. These include: Stack strings Dynamic API resolution...

Encrypted malicious payloads inserted as an additional resource... It also inserts a few additional Portable Executable (PE) resources. These resources are disguised as bitmap files and start with a BMP header, but afterwards the malicious content follows.

Malware impersonating, subverting, and embedding itself in legitimate software applications... The HeartCrypt packer takes legitimate executables and modifies them by injecting malicious code in the .text section.

the code uses API functions such as CreateProcessW, VirtualAlloc, GetThreadContext, NtCreateThreadEx, and CreateRemoteThread to load and execute the final payload.

While process hollowing is the primary method of injection, we have identified a sample that references NtQueueApcThread, suggesting that the developer has invested effort into diversifying the injection methods.

If the packed sample is .NET, HeartCrypt will attempt to launch csc.exe (or in some cases AppLaunch.exe) from the Microsoft .NET Framework directory. It then performs process hollowing on the spawned process, injecting and executing the final payload within it. If the sample is not a .NET assembly, HeartCrypt spawns a copy of itself and injects the final payload using a similar process hollowing technique.

When it finds it, it loads the driver and terminates the processes and services from the target list... It also attempts to kill processes such as MsMpEng.exe, SophosHealth.exe, SAVService.exe, and sophosui.exe.

The fourth resource decrypts and injects the final payload... The payload is a Windows executable binary encoded via a single-byte XOR operation rotating over a key hard-coded in the resource PIC as a stack string. After decryption, the PIC parses the decoded PE header...

the DLL file as a standalone component... is copied to C:\Users\{user}\OneDrive\Documents\AvivaUpdate_0001.dll... and registered for startup with the following command line: rundll32.exe C:\Users\{user}\OneDrive\Documents\AvivaUpdate_0001.dll,EntryPoint

Resource 1: Anti-Dependency Emulation... attempts to load non-existent DLLs via LoadLibraryW... If the sandbox responds by generating a dummy DLL... HeartCrypt will call ExitProcess... Resource 2: Sandbox Loop Emulation Check... If this flag is not set, the process will call ExitProcess. Resource 3: Windows Defender Evasion... If HeartCrypt can load this API from kernel32, it can assume the sample is running within the Defender emulator.

Secondly, HeartCrypt hijacks the control flow within the original binary. This is most often achieved by altering the start() function, the entry point for many executables. The modification typically involves adding a call or jmp instruction which redirects execution to the newly added PIC.

Here we see a DynamicShellcode alert... The process trace revealed that the malicious killer was executed from the JWrapper-Remote Access component of SimpleHelp

The resource enters a while loop that performs a large number of mathematical calculations on an initial hard-coded value... The resulting hash is checked against an expected value. If the two values match, the sample will set a flag value within memory to indicate the loop was not emulated or modified in any way. If this flag is not set, the process will call ExitProcess.

To modify the registry, HeartCrypt uses either Windows API functions or the reg add command via cmd.exe.

It then proceeds to create a run key in the \SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry location.

Resource 1: Anti-Dependency Emulation... attempts to load non-existent DLLs via LoadLibraryW... If the sandbox responds by generating a dummy DLL... HeartCrypt will call ExitProcess... Resource 2: Sandbox Loop Emulation Check... If this flag is not set, the process will call ExitProcess. Resource 3: Windows Defender Evasion... If HeartCrypt can load this API from kernel32, it can assume the sample is running within the Defender emulator.

The resource enters a while loop that performs a large number of mathematical calculations on an initial hard-coded value... The resulting hash is checked against an expected value. If the two values match, the sample will set a flag value within memory to indicate the loop was not emulated or modified in any way. If this flag is not set, the process will call ExitProcess.

The malicious content was hosted on a Google Drive in a password-protected ZIP archive; the password was included in the phishing email... The file that was downloaded from this URL is a ZIP archive.

This PowerShell command downloads and executes another PowerShell script... The downloader batch file... downloads and executes the final payload from: hxxps://www.dropbox[.]com/.../runner.exe

The process trace indicates that the initial infection could be related to the zero-day RCE exploits... which affected ConnectWise and BeyondTrust products.

In today’s multi-stage attacks, neutralizing endpoint security solutions is a critical step in the process, allowing threat actors to operate undetected. Since 2022, we’ve seen an increase in the sophistication of malware designed to disable EDR systems on an infected system.

Cybercriminals are increasingly bringing their own drivers — either exploiting a vulnerable legitimate driver or using a custom-built driver to disable endpoint detection and response (EDR) systems and evade detection or prevention capabilities.