Full Report
The ransomware scene gains another would-be EDR killer
Analysis Summary
# Tool/Technique: Shanya (VX Crypt) Packer-as-a-Service
## Overview
Shanya, also marketed as "VX Crypt," is a newly observed packer-as-a-service offering frequently used by ransomware groups. Its primary purpose is to obfuscate and encrypt malware payloads, enabling them to evade Endpoint Detection and Response (EDR) and other security solutions. It is positioned as a successor or competitor to tools like HeartCrypt.
## Technical Details
- Type: Tool / Packer / Crypter Service
- Platform: Primarily Windows (implied by AMSI bypass and native runtime mentioned)
- Capabilities: Customized encryption algorithms per customer, AMSI bypass, anti-VM/anti-sandbox checks, runtime protection, potential for sideloading.
- First Seen: References found on underground forums near the end of 2024.
## MITRE ATT&CK Mapping
The primary goal of Shanya is evasion, but its capabilities map to several defensive evasion techniques:
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.002 - Software Packing
- T1055 - Process Injection
- T1055.012 - DLL Side-Loading (mentioned as a potential future capability)
- T1574 - Hijack Execution Flow
- T1574.007 - DLL Side-Loading (Related to potential sideloading)
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Implied by UAC Bypass/Autorun features)
## Functionality
### Core Capabilities
- **Customization:** Each customer receives a (relatively) unique stub and a unique encryption algorithm upon purchase.
- **Module Loading:** Employs non-standard module loading directly into memory.
- **Loader Uniqueness:** Uses wrapper separation based on the system loader stub.
- **Anti-Analysis:** Implements anti-Virtual Machine (VM), anti-sandbox, and prevents unpacking in the cloud.
### Advanced Features
- **AMSI Bypass:** Specific functionality tailored to bypass Antimalware Scan Interface for .NET assemblies, ensuring the payload is not detected in memory.
- **Manifest Manipulation:** Options for setting icons, version information, and utilizing privilege escalation via the manifest (UAC Bypass).
- **Autorun/Persistence:** Capability for setting up persistence via auto-run mechanisms.
- **Runtime Protection:** Offers runtime protection for native and 32-bit files, allowing payloads (like RATs) to run undetected for extended periods (inspired by '\_Indy').
- **Sideloading Potential:** The creator may attempt to implement DLL sideloading with specific software given enough vulnerability research and testing time.
## Indicators of Compromise
*(Note: Specific hashes were provided in the context for early samples, and network indicators were not explicitly detailed beyond the creator's contact method.)*
- File Hashes:
- `58995a6c6042ed15f765a11160690c45f76f8271` (Early executable/crypter sample)
- `83317a42290ef8577e1980dc6085ab789dcc0c8f` (Early executable/crypter sample)
- File Names:
- `shanya_crypter.exe` (Observed in early samples)
- Morphing forms of "Shanya" (Observed in early DLL samples)
- Registry Keys: N/A (Implied persistence mechanisms via Autorun/UAC Bypass features suggest modification of standard run keys, but specifics were not listed.)
- Network Indicators:
- Telegram handles containing the string "shanya" (Defanged: `[hxxps://t.me/...]` - specific handler obfuscated/withheld)
- Behavioral Indicators:
- Execution of payloads employing unique or unrecognized memory module loading techniques.
- Dropped files exhibiting packed or encrypted structures matching Shanya's profile.
- Attempts to execute code after bypassing AMSI checks for .NET assemblies in memory.
## Associated Threat Actors
- Ransomware groups (General indication, actively taking over the role previously held by HeartCrypt).
## Detection Methods
- Signature-based detection: Specific signatures targeting known artifacts from early samples, such as the file name `shanya_crypter.exe`.
- Behavioral detection: Monitoring for the initialization of non-standard module loading routines, active AMSI bypass attempts on .NET processes, or deployment of payloads exhibiting characteristics of the described runtime protection.
- YARA rules: Rules should focus on identifying common obfuscation patterns, custom encryption artifacts, or string references related to the packer's internal workings (e.g., the vulgar word mentioned in early DLLs, specific UAC bypass code structures).
## Mitigation Strategies
- Prevention measures: Maintain updated security software capable of advanced behavioral detection and memory inspection.
- Hardening recommendations: Implement strict application control policies to prevent execution from untrusted locations. Configure and rigorously enforce **AMSI** integration across all relevant applications, including .NET runtimes. Harden systems against UAC prompt bypasses.
## Related Tools/Techniques
- HeartCrypt (Similar packer-as-a-service previously popular among ransomware groups).
- Other commercial or underground crypters/packers designed to achieve EDR evasion.
- Malware utilizing DLL Sideloading (T1574.007).