What are Binder Techniques, and how can we identify them?

 

A binder or file binder is software used to combine an executable file with other files, which can be documents or legitimate executable programs. We have already discussed wrappers and mentioned that a wrapper is a technique abused by threat actors to hide malware inside another file.

Both wrappers and binders can effectively bypass traditional detection software, and they can exploit the curiosity of users ranging from casual computer users to IT professionals.

So, how does binder software work, and what is the binding process? You can refer to the graph below to understand how it actually works:

I created an example where an executable file is bound with a PDF document. After executing the file, both the executable and the PDF are launched.

Before running it, I want to analyze this executable to see what information we can extract from it.

Now, let’s check the entropy of the .rdata section:

As we can see, the .rdata section is mostly compressed or packed by the binder software that combined the PDF document with our executable file. Therefore, trying to extract the embedded PDF using 7-Zip or other compression utilities will not work.

However, dynamic analysis using Process Monitor with filter options can be effective. You can use the following filters:

1. Process Name: your_executable.exe

2. Operations: WriteFile, ReadFile, CreateFile 

PoC :

Let’s execute our executable file and observe what happens after execution:

Enjoy :) .