Presented at
REcon 2022,
June 5, 2022, 11:30 a.m.
(30 minutes).
Wslink is a unique loader, linked to the Lazarus group, that we documented at the end of the last year for the first time. Most of the Wslink samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts, such as specific section names, that easily link them to an already known and publicly described obfuscator. This VM additionally introduces several other obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
In our presentation we analyze the internals of the VM and describe our semiautomatic approach to seeing through the obfuscation techniques in reasonable time. We demonstrate the approach on a few chunks of bytecode of a protected sample and compare the results against a non-obfuscated sample to confirm the validity of the method. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and certain internal constructs of the VM as concrete values instead as symbolic ones, which enables the known deobfuscation method to deal with the additional obfuscation techniques automatically.
Presenters:
-
Vladislav Hrčka
Vladislav Hrčka has been working as a malware analyst at ESET since 2017. His focus is on reverse engineering challenging malware samples. He has presented results of his work at the Black Hat USA and AVAR conferences. He’s currently studying Computer Science at the Comenius University in Bratislava in the first year of master’s degree.
Links:
Similar Presentations: