Intel Name: Changes to heartcrypt-packed malware
Date of Scan: January 8, 2025
Impact: Medium
Summary: Recent changes to HeartCrypt-packed malware include a shift in how the malware payload is hidden. Previously, the position-independent code (PIC) was stored in the PE file’s resource data, but now the payload is hidden in two separate files disguised as BMP images. These files contain a fake BMP header, followed by junk data, an XOR key, and XOR-encrypted data. The encrypted data is then decrypted and combined to form the final payload, enhancing evasion techniques.