Defeating APT10 Compiler-level Obfuscations

Takahiro Haruyama/Carbon Black

Compiler-level obfuscations, like opaque predicates and control flow flattening, are starting to be observed in the wild and are likely to become a challenge for malware analysts and researchers. Opaque predicates and control flow flattening are obfuscation methods that are used to limit malware analysis by defining unused logic, performing needless calculations, and altering code flow so that it is not linear. Manual analysis of malware utilizing these obfuscations is painful and time-consuming. ANEL (also referred to as UpperCut) is a RAT used by APT10, typically targeting Japan. All recent ANEL samples are obfuscated with opaque predicates and control flow flattening. In this presentation, I will explain how to de-obfuscate the ANEL code automatically by modifying the existing IDA Pro plugin HexRaysDeob.

Specifically, the following topics will be included:

  • - Disassembler tool internals (IDA Pro IL microcode)
  • - How to define and track opaque predicate patterns for their elimination
  • - How to break control flow flattening while considering various conditional/unconditional jump cases even if it depends heavily on the opaque predicate conditions and has multiple switch dispatchers.

The modified tool is available publicly and this implementation has been found to deobfuscate approximately 92% of encountered functions in the tested sample. Additionally, most of the failed functions can be properly deobfuscated in IDA Pro 7.3. This provides researchers with an approach with which to attack such obfuscations, which could be adopted by other families and other threat groups.

November 7 at 14:30 - 15:00, Stage A

Takahiro Haruyama is a principal threat researcher with Carbon Black`s Threat Analysis Unit, with over ten years of extensive experience and knowledge in malware analysis and digital forensics. He previously worked on reverse-engineering cyber espionage malware with Symantec`s threat intelligence team. He has spoken at several famous conferences including REcon, HITB, HITCON, SECURE, DFRWS EU, SANS DFIR Summit, FIRST and BlackHat Briefings USA/Europe/Asia.