The LummaC2 obfuscator employs a novel management move safety scheme designed particularly for its stealer part, which is a part of a broader set of transformations, making it tough for analysts to reverse engineer the binary.
It introduces obfuscated code that’s blended with the unique compiler-generated code, requiring a specialised deobfuscator for evaluation.
The obfuscator’s authors seem to have a deep understanding of the LummaC2 stealer, as sure protections are tailor-made to particular elements of the malware.
Dispatcher blocks a kind of obfuscation approach utilized by malware, which breaks a operate’s authentic management move by inserting directions that calculate bounce locations dynamically.
Free Webinar on Defend Small Companies Towards Superior Cyberthreats -> Free Registration
The evaluation identifies three predominant dispatcher block layouts: register-based (most typical), memory-based, and mixed-order, the place register-based layouts use registers for calculations and finish with a bounce to a register worth.
Reminiscence-based layouts make the most of each registers and stack values, and mixed-order layouts mix parts of each and might intersperse dispatcher directions with authentic directions, making deobfuscation more durable.
The obfuscator makes use of conditional dispatchers to guard delicate code logic, that are categorized into customary, loop, and syscall sorts, the place customary dispatchers deal with normal conditional jumps, whereas loop dispatchers management loop execution.
Syscall dispatchers consider NTSTATUS codes to find out Syscall success, and the obfuscator creates a desk of department targets listed by the situation’s consequence.
By evaluating the situation code and indexing the desk, the obfuscator executes the suitable department, which successfully hides delicate logic from evaluation.
A way for deobfuscating a operate’s management move, as symbolic execution with Triton is used to differentiate between the unique directions and people injected by the obfuscator (dispatcher directions).
Backward slicing is carried out on the vacation spot register of an oblique bounce to determine directions influencing the ultimate bounce goal.
By analyzing the symbolic expressions generated throughout processing, dispatcher directions accountable for the manipulation are remoted and the unique operate move is pinpointed, which is efficient no matter dispatcher instruction placement.
The deobfuscation course of begins by recovering the unique directions and management move utilizing a depth-first search algorithm.
Conditional jumps are dealt with by assuming the situation is met and exploring the corresponding path, whereas different paths are saved for later exploration.
The deobfuscated operate is then rebuilt by overwriting the unique directions and changing oblique jumps with direct ones or conditional bounce pairs.
Lastly, the offsets of memory-referencing directions are adjusted to replicate their new places, which successfully removes obfuscation and restores the unique operate’s semantics.
Mandiant researchers developed a deobfuscation software for LummaC2 by using backward slicing and symbolic execution, which determine the unique directions obscured by the obfuscator’s oblique jumps, efficiently take away dispatcher blocks, and reveal this system’s true management move.
Deobfuscated capabilities can then be recovered and decompiled utilizing IDA Professional, enabling analysts to know LummaC2’s functionalities, which highlights the effectiveness of backward slicing for binary evaluation past the LummaC2 case examine.
Analyse Any Suspicious Hyperlinks Utilizing ANY.RUN’s New Secure Searching Device: Strive It for Free