malsploit Posted September 13, 2015 Report Posted September 13, 2015 Warning: The repository associated with this post contains malicious binaries (core, core_packed, soldier,soldier_packed) for educational purposes. Don't go around toying with them if you don't know what you're doing.A couple of days ago i came across this post by Ethan Heilman discussing Hacking Team's crypter named 'core-packer'. The crypter's source was leaked online after the Hacking Team compromise of July 2015. As Heilman notes despite the name 'core-packer' is a crypter as it doesn't perform compression but rather uses anti-analysis functionality (including encryption) to obfuscate malicious PEs in order to evade anti-virus products. Taking a look at 'core-packer' provides an interesting glimpse at the quality (or lack thereof) of 'government-grade' commercial malware products.Heilman's discussion of the crypter is fairly complete and mentions the important distinction between the common use of cryptography and the use of cryptography in anti-anti-virus techniques: while the former seeks to guarantee security properties like confidentiality, integrity, etc. (preferably on a long-term basis) the latter simply seeks to force detection solutions to integrate code that recognizes the packer, locates the cryptographic keying material and applies the decryption process in the appropriate fashion in order to obtain the original malicious binary in the hopes that the performance penalty imposed by integrating this kind of code for every crypter out there is simply too much. So while the usage of ciphers likeTEA or RC4 would be ill-advised (to say the least) in regular cryptographic contexts in the case of 'core-packer' that's not much of an issue. Given that the keying material is stored together with the ciphertext the hardly is the guarantee of long-term confidentiality.Read more: https://samvartaka.github.io/malware/2015/09/13/hackingteam-crypter/ Quote
