Defeating APT10 compiler-level obfuscations

Thursday 3 October 09:30 - 10:00, Red room

Takahiro Haruyama (Carbon Black)



Compiler-level obfuscations like opaque predicates and control flow flattening are starting to be observed in the wild and will be a challenge for malware analysts and researchers. Opaque predicates and control flow flattening are obfuscation methods used to limit malware analysis by defining unused logic, performing needless calculations, and altering code flow so that it is not linear. Manual analysis of malware utilizing these obfuscations is painful and time-consuming.

ANEL (also referred to as UpperCut) is a RAT used by APT10, typically targeting Japan. All recent ANEL samples are obfuscated with opaque predicates and control flow flattening. In this presentation I will explain how to automatically de-obfuscate the ANEL code by modifying the existing IDA Pro plug-in HexRaysDeob.

Specifically, the following topics will be included:

  • Disassembler tool internals (IDA Pro IL microcode)
  • How to define and track opaque predicate patterns for the elimination
  • How to break control flow flattening while considering various conditional/unconditional jump cases even if it depends heavily on the opaque predicate conditions and has multiple switch dispatchers

The modified tool is available publicly and this implementation has been found to de-obfuscate approximately 89% of encountered functions in the tested samples. This provides researchers with an approach to attack those obfuscations which could be adopted in additional families. Additional testing and code improvement for this tool will be added prior to the talk. Sharing the experience and knowledge of the implementation with the community will be valuable as threat actors other than APT10 may also start to use the same obfuscations.

 

 

Takahiro-Haruyama-web.jpg

Takahiro Haruyama

Takahiro Haruyama is a senior threat researcher with Carbon Black's Threat Analysis Unit, with over ten years of extensive experience and knowledge in digital forensics and malware analysis. He previously worked on reverse-engineering cyber espionage malware with Symantec's threat intelligence team. He has spoken at or taught hands-on classes at several famous conferences including Black Hat Briefings USA/Europe/Asia, SANS DFIR Summit, DFRWS EU, FIRST, CEIC, SECURE and HITCON.

@cci_forensics

   Download slides    Read paper    Watch video

Back to VB2019 Programme page

Other VB2019 papers

Politically targeted DNS in 2016 and 2020

David Rodriguez (Cisco Umbrella)
John Cunniff (Cisco Umbrella)
Andrea Kaiser (Cisco Umbrella)
Dhia Mahjoub (Cisco Umbrella)

Buhtrap metamorphosis: from cybercrime to cyber espionage (partner presentation)

Anton Cherepanov (ESET)
Jean-Ian Boutin (ESET)

I'm not going to die during this conference call: reflections on availability and burnout

Jamie Tomasello (Duo Security)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.