Andromeda’s Five Star Custom Packer – Hackers’ Tactics Analyzed

Andromeda’s Five Star Custom Packer – Hackers’ Tactics Analyzed

Packer based malware is malware which is modified in the runtime memory using different and sophisticated compression techniques. Such malware is hard to detect by known malware scanners and anti-virus solutions. In addition, it is a cheap way for hackers to recreate new signatures for the same malware on the fly simply by changing the encryption/packing method. Packers themselves are not malware; attackers use this tactic to obfuscate the code’s real intention.

This document describes a sophisticated Andromeda/Gamarue Custom Packer. Andromeda first appeared in 2011 and still remains popular. As the Andromeda attack chain has been described previously, this analysis focuses on the packer and deobfuscation, which happens before the malware downloads or executes its next stage malicious payload. The recent version of the custom packer we obtained, has noteworthy and innovative functionality.