ANY.RUN Details How Threat Actors Use Obfuscators to Mask Malware
DUBAI, UNITED ARAB EMIRATES, February 14, 2024 /EINPresswire.com/ -- ANY.RUN, a cloud-based sandboxing service, published its first article in the series on the use of malware obfuscators, software tools that scramble code to make it difficult to understand and reverse engineer.
𝐓𝐡𝐞 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞 𝐨𝐟 𝐎𝐛𝐟𝐮𝐬𝐜𝐚𝐭𝐞𝐝 𝐂𝐨𝐝𝐞:
Modern malware often employs obfuscation techniques to hinder analysis and detection. This creates a significant challenge for security researchers who need to understand the code's functionality and potential harm. This article series aims to equip individuals with the knowledge to tackle obfuscated code with confidence.
𝐁𝐮𝐢𝐥𝐝𝐢𝐧𝐠 𝐚 𝐒𝐢𝐦𝐩𝐥𝐞 𝐎𝐛𝐟𝐮𝐬𝐜𝐚𝐭𝐨𝐫
The series starts by taking readers through the creation of a simple obfuscator written in .NET. This hands-on approach provides a clear understanding of the basic techniques used, including:
• 𝐏𝐫𝐨𝐱𝐲 𝐟𝐮𝐧𝐜𝐭𝐢𝐨𝐧𝐬: Hiding strings within separate functions with complex names.
• 𝐂𝐡𝐚𝐫𝐚𝐜𝐭𝐞𝐫 𝐛𝐫𝐞𝐚𝐤𝐝𝐨𝐰𝐧: Splitting strings into individual characters for further obfuscation.
• 𝐍𝐮𝐦𝐞𝐫𝐢𝐜 𝐜𝐨𝐧𝐯𝐞𝐫𝐬𝐢𝐨𝐧: Replacing characters with their numerical values to mask their meaning.
• 𝐇𝐞𝐚𝐯𝐲 𝐦𝐚𝐭𝐡: Utilizing complex mathematical expressions to represent characters.
• 𝐂𝐨𝐧𝐭𝐫𝐨𝐥 𝐅𝐥𝐨𝐰 𝐆𝐫𝐚𝐩𝐡 (𝐂𝐅𝐆) 𝐨𝐛𝐟𝐮𝐬𝐜𝐚𝐭𝐢𝐨𝐧: Shuffling code blocks while maintaining functionality.
𝐀𝐭𝐭𝐚𝐜𝐤𝐢𝐧𝐠 𝐭𝐡𝐞 𝐎𝐛𝐟𝐮𝐬𝐜𝐚𝐭𝐨𝐫
The article then demonstrates how seemingly complex obfuscation can be bypassed using various methods, such as:
• 𝐀𝐭𝐭𝐚𝐜𝐤𝐢𝐧𝐠 𝐭𝐡𝐞 𝐎𝐛𝐟𝐮𝐬𝐜𝐚𝐭𝐨𝐫: Pausing code execution at key points to inspect variables and memory.
• 𝐌𝐞𝐦𝐨𝐫𝐲 𝐝𝐮𝐦𝐩𝐬: Analyzing memory snapshots to reveal hidden strings and data.
• 𝐃𝐞𝐨𝐛𝐟𝐮𝐬𝐜𝐚𝐭𝐢𝐨𝐧 𝐭𝐨𝐨𝐥𝐬: Utilizing specialized software like De4dot to reverse engineer obfuscated code.
𝐒𝐭𝐚𝐲 𝐓𝐮𝐧𝐞𝐝
The first article marks the introduction to a series. In upcoming installments, the authors will explore advanced obfuscation techniques used in real-world malware and strategies for extracting meaningful insights from obfuscated code.
Learn more in ANY.RUN’s blog post.
Veronika Trifonova
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
Twitter
YouTube
1 https://any.run/?utm_source=ein&utm_medium=pressrelease&utm_campaign=detailspart1&utm_content=landing&utm_term=140224
2 https://any.run/cybersecurity-blog/net-malware-obfuscators-analysis-part-one/?utm_source=ein&utm_medium=pressrelease&utm_campaign=detailspart1&utm_content=blog&utm_term=140224
3 https://any.run/cybersecurity-blog/net-malware-obfuscators-analysis-part-one/?utm_source=ein&utm_medium=pressrelease&utm_campaign=detailspart1&utm_content=blog&utm_term=140224