Threat actors are increasingly using the Advanced Encryption Standard (AES) in combination with code virtualization to protect malicious payloads, creating a complex chain of obfuscation that challenges traditional security measures. The transition from traditional obfuscation methods to these advanced techniques represents a significant evolution in malware sophistication, demonstrating how threat actors continue to develop more resilient methods to protect their malicious code from analysis and detection. Here the security analysts at Palo Alto Networks noted that the obfuscation chain typically begins with an encrypted payload in the PE overlay, which contains the AES key, initialization vector, and ciphertext for the second stage. The malware samples examined contained an ASCII string marker that delimits the encryption parameters, which the main .NET code references to locate and decrypt the hidden payloads. Several sophisticated multi-stage malware campaigns were revealed by recent findings from Palo Alto Networks’ Unit 42 have employing advanced encryption techniques to evade detection. The XWorm samples further encrypted their configuration parameters using AES in Electronic Codebook (ECB) mode with hard-coded keys stored in variables named “Mutex”. These malware samples hide their payloads within PE overlays using AES cryptography in cipher block chaining (CBC) mode.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 04 Mar 2025 08:45:04 +0000