One Article Review
| Source |  Mandiant |
|---|---|
| Identifiant | 8584760 |
| Date de publication | 2024-09-25 14:00:00 (vue: 2024-09-25 14:17:21) |
| Titre | LUMMAC2: Obfuscation par flux de contrôle indirect LummaC2: Obfuscation Through Indirect Control Flow |
| Texte | Written by: Nino Isakovic, Chuong Dong
Overview This blog post delves into the analysis of a control flow obfuscation technique employed by recent LummaC2 (LUMMAC.V2) stealer samples. In addition to the traditional control flow flattening technique used in older versions, the malware now leverages customized control flow indirection to manipulate the execution of the malware. This technique thwarts all binary analysis tools including IDA Pro and Ghidra, significantly hindering not only the reverse engineering process, but also automation tooling designed to capture execution artifacts and generate detections. To provide insights to Google and Mandiant security teams, we developed an automated method for removing this protection layer through symbolic backward slicing. By leveraging the recovered control flow, we are able to rebuild and deobfuscate the samples into a format readily consumable for any static binary analysis platform. Protection Components Overview An obfuscating compiler, which we will also informally refer to as an "obfuscator," is a transformation tool designed to enhance the security of software binaries by making them more resilient to binary analysis. It operates by transforming a given binary into a protected representation, thereby increasing the difficulty for the code to be analyzed or tampered with. These transformations are typically applied at a per-function basis where the user selects the specific functions to apply these transformations to. Obfuscating compilers are distinct from packers, although they may incorporate packing techniques as part of their functionality. They fall under the broader classification of software protections, such as OLLVM, VMProtect, and Code Virtualizer, which provide comprehensive code transformation and protection mechanisms beyond simple packing. Notably, for all protected components, the original code will never be exposed in its original, unprotected form at any point during the runtime of a protected binary. It is also common for obfuscating compilers to mix the original compiler-generated code with obfuscator-introduced code. This generally tends to necessitate a comprehensive deobfuscator from an analyst in order to analyze the binary. The obfuscator employed by LummaC2 applies a multitude of transformations consistent with standard obfuscating compiler technology. Our concern only focuses on the newly introduced control flow protection scheme that we uncovered. Our analysis strongly suggests that the authors of the obfuscator have intimate knowledge of the LummaC2 stealer. Certain parts of the protection, as described in the upcoming sections, are specialized to handle specific components of the LummaC2 stealer. Dispatcher Blocks The obfuscator transforms the control flow of a protected function into one guided by "dispatcher blocks," ea |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | 0041652b 00416530 00416533 00416535 0041653b 0041656e 00416573 00416575 00416577 00416579 0041657c 00416583 00416588 0041658e 00416590 00416591 00416630 00416635 0041663a 00416640 00416642 00416643 0041665a 0041665c 00416662 00416667 00416669 0041666f 00416674 0041667a 0041667f 00416685 00416687 00416688 0041ccb4 0041ccb7 0041ccb9 0041e847 0041e84c 0041e852 0041e858 0041e85a 0041e85b 0041e85e 0041e861 0041e863 0041e866 0041e869 0041e86b 0041e86e 0041e871 0041e877 0041e87d 0041e880 0041e884 0041e888 0041e88c 0041e893 0041e89a 0041e8a0 0041e8a7 0041e8ae 0041e8b5 00424d95 00424d9a 00424d9d 00424d9f 00424da2 00424da9 00424dae 00424db4 00424db6 00424db7 0044aa3a 0044aa3d 0044aa43 0044aa46 0044aa4d 0044aa53 0044aa59 0044c108 0044c10b 0044c10e 0044c110 0044c113 0044c116 0044c11b 0044c120 0044c126 0044c128 0044c129 0044c130 0044c133 0044c136 0044c2ad 0044c2af 0044c2b2 0044c2b4 0044c2b7 0044c2bc 0044c2c2 0044c2c9 0044c2cb 0044c2cc 0044c2cf 0044c2d2 0044cd55 0044cd5e 0044cd60 0044cd65 0044cd6a 0044cd70 0044cd72 0044cd73 0044cd7a 0044cd81 0044cd88 0044cd8f 0044dd15 0044dd18 0044dd1a 0044dd20 0044dd23 0044dd2a 0044dd2f 0044dd35 0044dd37 0044dd38 009 063 0c09e0a35h 0ch 0f5a88cdah 0fffffff6h 0ffffffffh 0x1f 0x416530: 0x416534: 0x416535: 0x41653b: 0x41653d: 0x41653e: 0x416544: 0x416549: 0x41654e: 0x416554: 0x416556: 0x416557: 0x41c610 0x41ee50 0x454a14 0x454a18 0x457c1c 0x457c24 0x5a4d 0xa15bd01f 0xcc 10: 11: 11 illustrate 12: 13: 14: 15: 16: 17: 18: 18h 19: 1fh 205e45e123aea66d444feaba9a846748 20: 20h 21: 22: 22a7266eh 23: 24: 27dc8bc9h 28h 30h 31637ach 34h 379 3ch 40h 416540 416554 41a4a0 41c610 4455f0 44eda0 457c8c 457c94 457cb0 457cb4 457cf4 457cfc 459878 459880 45dc9c 45dca4 46c030 46cb3c 46cb44 46cfe4 46cfec 46d240 46d248 46f304 46f30c 470a30 5099026603c86efbcf943449cd6df54a 5a4dh 5ch 681dadb7h 74f906b5h 9148854h 981 987 9ec9743dh |
| Tags | Malware Tool Threat Studies |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.