2024, REcon
https://cfp.recon.cx/recon2024/talk/GRV7EX/
https://gitlab.com/eshard/d810/-/merge_requests/3
https://github.com/TakahiroHaruyama/ida_haru/tree/master/callstrings
Internet-wide malware command-and-control (C2) server scanning based on protocol emulation is a game changing technique as one of the most proactive threat detection approaches. It allows real time blocking of malicious communications of a variety of known malware families. On the other hand, protocol reversing is a challenging task, especially when the code is obfuscated at compiler-level.
In this presentation, I will detail how to reverse the C2 protocol of the malware used by one of the PRC-linked cyberespionage threat actors. The malware was obfuscated with multiple methods likely applied at compile time. In order to identify the protocol format and its encryption algorithm, I not only extended an existing tool to defeat more control flow flattening (CFF) and mixed boolean arithmetic (MBA) expression cases but also implemented another one to decode strings constructed polymorphically in stack area under the CFF conditions.
I will also explain how to emulate the C2 protocol. I validated the request/response data by implementing a fake C2 server and catching a real one. Then I developed a PoC scanner to narrow down true positives based on multiple clues such as TLS handshake errors, JARM fingerprints and HTTP header values authenticated by C2. I will demonstrate the scanner in the presentation.
The presented research techniques and findings will be beneficial to those who need deep malware RE.