Packer services like Shanya help cybercriminals evade detection by standard security tools by packaging their payloads with custom wrappers using encryption and compression. When a threat actor submits a malicious payload, Shanya returns a “packed” version, claiming to offer a unique stub and encryption algorithm for each customer. The service promotes the resulting payload’s singularity, highlighting features like non-standard module loading and wrapper over the system loader. This process makes the malicious code significantly harder for most known security tools and antivirus engines to detect.
Shanya achieves its obfuscation by inserting the payload into a memory-mapped copy of the Windows DLL file ‘shell32.dll.’ The payload is decrypted and decompressed entirely in memory before being inserted, ensuring it never touches the disk. Although the DLL file appears valid in its path, size, and executable sections, its header and .text section are overwritten with the decrypted payload. Before full execution, Shanya also performs checks for endpoint detection and response (EDR) solutions.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
Sophos researchers discovered that Shanya attempts to disrupt automated analysis by calling the ‘RtlDeleteFunctionTable’ function in an invalid context, which typically triggers an unhandled exception or crash when executed under a user-mode debugger. Ransomware groups often seek to disable EDR tools before proceeding to the data theft and encryption stages of their attack. The deployment of the packed payload frequently occurs through DLL side-loading, where a legitimate Windows executable like ‘consent.exe’ is combined with a Shanya-packed malicious DLL.
The EDR-disabling payload analyzed by Sophos drops two drivers: a legitimately signed ‘ThrottleStop.sys’ (renamed ‘rwdrv.sys’) from TechPowerUp, which contains a flaw enabling arbitrary kernel memory writing for privilege escalation, and the unsigned ‘hlpdrv.sys’. This unsigned driver is responsible for disabling security products based on commands from its user-mode component. The user-mode component enumerates running processes and installed services, compares them against a hardcoded list of targets, and then sends a “kill” command to the malicious kernel driver for any matches.
Besides ransomware operators, the Shanya service has also been observed in recent ClickFix campaigns packaging the CastleRAT malware. Security researchers note that ransomware gangs frequently rely on such packer services to prepare their EDR-killing tools for deployment while remaining undetected. Sophos provided a detailed technical analysis of the payloads and released indicators of compromise (IoCs) related to Shanya-powered campaigns to help organizations defend against this evolving threat.
Source: Ransomware Gangs Turn To Shanya Exe Packer To Conceal Tools That Disable Edr Systems