Defeating APT10 Compiler-level Obfuscations

Presented at REcon 2019, June 28, 2019, 4 p.m. (30 minutes)

This is the research breaking the state-of-the-art compiler-level obfuscations applied to APT10 malware. The know-how introduced in the research will be valuable for a new implementation even if another malware family utilizes a different obfuscating compiler. Compiler-level obfuscations like opaque predicates and control flow flattening are starting to be observed in the wild and will be a challenge for malware analysts and researchers. Opaque predicates and control flow flattening are obfuscation methods used to limit malware analysis by defining unused logic, performing needless calculations, and altering code flow so that it is not linear. Manual analysis of malware utilizing these obfuscations is painful and time-consuming. ANEL (also referred to as UpperCut) is a RAT used by APT10, traditionally targeting Japan. All of the recent ANEL samples are obfuscated with opaque predicates and control flow flattening. In this presentation I will explain how to automatically de-obfuscate the ANEL code by modifying the existing IDA Pro plugin HexRaysDeob. Specifically the following topics will be included. - Disassembler tool internals (IDA Pro IL microcode) - How to define and track opaque predicate patterns for the elimination - How to break control flow flattening while considering various conditional/unconditional jump cases even if it heavily depends on the opaque predicate conditions and has multiple switch dispatchers The modified tool is available publically and this implementation will deobfuscate approximately 89% of encountered functions in the tested sample. This provides researchers with an approach to attack those obfuscations, which could be adopted in additional families. Additional testing and code improvement for this tool will be added prior to the talk. Sharing the experience and knowledge of the implementation with the community will be valuable as threat actors other than APT10 may also start to use the same obfuscations.

Presenters:

• Takahiro Haruyama
  Takahiro Haruyama is a Senior Threat Researcher with Carbon Black’s Threat Analysis Unit, with over ten years of extensive experience and knowledge in digital forensics and malware analysis. He previously worked on reverse-engineering cyber espionage malware with Symantec's threat intelligence team. He has spoken or taught hands-on class at several famous conferences including Black Hat Briefings USA/Europe/Asia, SANS DFIR Summit, DFRWS EU, FIRST, CEIC, SECURE and HITCON.

Links:

• https://cfp.recon.cx/reconmtl2019/talk/EGX83Z/
• https://infocon.org/cons/REcon/REcon 2019 Montreal/REcon 2019 Montreal videos/Takahiro Haruyama.Defeating APT10 Compiler-level Obfuscation-a36qtx5lpBQnE.mp4

Similar Presentations:

• VB2019 / Defeating APT10 compiler-level obfuscations
• VB2017 / Malware deobfuscation: symbolic analysis to the rescue!
• Black Hat Europe 2016 / Code Deobfuscation: Intertwining Dynamic, Static and Symbolic Approaches