Malware, like many complex software systems, relies on the concept of software configuration.
Configurations establish guidelines for malware behavior and they are a common feature among the various malware families we examine.
The configuration data embedded within malware can offer invaluable insights into the intentions of cybercriminals.
Due to its significance, malware authors deliberately make configuration data challenging to parse statically from the file.
Over the past few years, we have developed a system to extract internal malware configurations.
These extractors, written in Python, are designed to scan and extract configuration data from memory dumps associated with specific malware samples.
We will also introduce selected configuration protection techniques employed by two malware families: GuLoader and RedLine Stealer.
The GuLoader authors went to great lengths to obfuscate their C2 configuration.
Figure 1 provides a timeline illustrating the evolution of GuLoader obfuscation techniques.
This evolution has defeated our previous approach to extracting GuLoader malware configuration.
To retrieve the first DWORD of the ciphertext from GuLoader's new method, we must perform the mathematical operations illustrated below in Figure 3.
Figure 4 illustrates how GuLoader implemented all these instructions for anti-analysis.
The anti-analysis instructions noted in Figure 4 above rendered our previous solution of writing an IDA processor module extension ineffective.
Since our previous solution was no longer effective, we had to manually analyze the code to find these anti-analysis instructions and bypass them to extract the configuration.
Using an MSIL decompiler called dnSpy, we quickly identified the configuration data as shown below in Figure 5.
Figure 8 shows that the ldstr commands push object reference for the metadata strings located at seg000:29F1, seg000:29FB, seg000:2A05 and seg000:2A0F. The object references are enclosed in black boxes in Figure 8.
The IP field from Figure 7 is not enough to statically extract the configuration.
The operand type of the instruction ldstr shown in Figure 8 is, according to Microsoft, a string token, and string tokens are stored in the #US table.
By delving into the methods used for GuLoader and RedLine Stealer, we shed light on the process of locating and extracting C2 configurations from various malware families.
Leveraging our insights gained from analyzing these malware configurations, we can enhance our ability to detect, analyze and develop effective countermeasures against malicious software.
This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Fri, 05 Jan 2024 11:43:05 +0000