Changes to heartcrypt-packed malware

Intel Name: Changes to heartcrypt-packed malware

Date of Scan: January 8, 2025

Impact: Medium

Summary:
Recent changes to HeartCrypt-packed malware include a shift in how the malware payload is hidden. Previously, the position-independent code (PIC) was stored in the PE file’s resource data, but now the payload is hidden in two separate files disguised as BMP images. These files contain a fake BMP header, followed by junk data, an XOR key, and XOR-encrypted data. The encrypted data is then decrypted and combined to form the final payload, enhancing evasion techniques.

More Details