Ransomware gangs use Shanya EXE packer to evade EDR

by Anika Shah - Technology
0 comments

# Shanya Packer-as-a-Service Aids Ransomware Deployment

Multiple ransomware gangs are using a packer-as-a-service platform named Shanya to help them deploy payloads that disable endpoint detection and response solutions on victim systems.

Packer services provide cybercriminals with specialized tools to package their payloads in a way that obfuscates malicious code to evade detection by most known security tools and antivirus engines.

The Shanya packer operation emerged in late 2024 and has grown in popularity significantly, with malware samples using it being spotted in Tunisia, the UAE, Costa Rica, Nigeria, and Pakistan, according to telemetry data from Sophos Security.

Among the ransomware groups confirmed to have used it are Medusa, Qilin, Crytox, and Akira, with the latter being the one that uses the packer service most frequently enough.

Occurences of Shanya used in ransomware attacks
Shanya packer used in ransomware attacks
Source: Sophos

How Shanya works

Threat actors submit their malicious payloads to Shanya, and the service returns a “packed” version with a custom wrapper, using encryption and compression.

The service promotes the singularity of the resulting payloads, highlighting the “non-standard module loading into memory, wrapper over the system loaderStub uniqueization,” with “each customer receiving their own (relatively) unique stub with a unique encryption algorithm upon purchase.”

Junk code in the loader
junk code in the loader
Source: Sophos

The payload is inserted into a memory-mapped copy of the Windows DLL file ‘shell32.dll.’ This DLL file has valid-looking executable sections and size, and its path appears normal, but its header and .text section have been overwritten with the decrypted payload.

While the payload is encrypted inside the packed file, it is indeed decrypted and decompressed while still entirely in memory, and then inserted into the ‘shell32.dll‘ copy file, never touching the disk.

Sophos researchers found that Shanya performs checks for endpoint detection and response (EDR) solutions by calling

Related Posts

Leave a Comment