What are Wrapper Techniques, and how can we identify them?

 

Threat actors spend hours or even weeks finding new techniques and making their software look as legitimate as possible. One technique that can trick IT teams, regular users, and sometimes even professional users is the wrapping technique.

So, what is the wrapping technique? A wrapper is basically a method abused by threat actors to hide malware inside another file. Technically, it is similar to but not exactly the same as a binding technique.

How does the wrapping technique work? Imagine we have an executable file named document.pdf.exe. When a user clicks it, a PDF file appears to open. This is an example of the wrapper technique.

Right now, this example may not seem convincing because the file has a full extension: document.pdf.exe. However, most computer users have the “show file extensions” option turned off by default. As a result, the file might appear as document.pdf, which makes it look harmless.

But if we enable file name extensions and look at it, the whole story changes :

So how do threat actors do this and make their software appear stealthy? There are two main methods they use:

1. Using an archive utility like WinRAR SFX

2. Using specific software designed for this purpose

Our example uses the SFX method, which is a common technique abused by threat actors. But how can we identify it? There are two main methods:

1. Right-click on the executable file – if you see an “Extract Here” option, it means the SFX method has been used.

2. Use a PE analysis tool such as DIE (Detect It Easy).

I will provide examples for both methods and show how we can identify them.

Right Click Method : 

PE Analysis Method : 

So far, we have made great progress in our investigation and uncovered the techniques and methods abused by threat actors. Now, let’s extract the files inside this wrapped executable. You can see the results below:

Enjoy .