The definition of obfuscation is: to make something less clear and harder to understand, especially intentionally. Malware authors often employ this methodology to make their malware and payloads more difficult to detect and analyze.
This talk will dive into the fundamentals of obfuscation, encryption, and get down and dirty with deobfuscating some funny and some downright bizarre advanced persistent threat (APT) examples discovered by Anomali researchers. We will also look at a Necurs botnet email that attempted to target victims with an obfuscated script to drop GlobeImposter ransomware and the Trickbot trojan.
Watch the on-demand webcast led by Ryan Robinson, Security Researcher at Anomali.
Welcome to my talk.
I am Ryan Robinson.
I'm a security researcher in Anomali.
Come on in, sir.
Take a seat.
So we're going to be going for a sort of [INAUDIBLE] today.
Folks, come on in.
So what I [INAUDIBLE] do is I would work with malware normally, sort of threat analysis.
So just a lot of technical stuff.
So what we'll sort of go through today is some sort of obfuscation examples, like very, very low level examples of it, and then some tools that one might be able to use to sort of analyze these or commit some techniques.
And so yeah.
It's sort of like a one to one port.
So we can go straight in.
Like what is the definition of obfuscation.
And I think I got this from the Oxford dictionary.
And it said, the act of making [INAUDIBLE] are more difficult to understand usually deliberately.
So everyone recognized their own prescription node from their doctor there.
There's sort of many reasons why one would kind of want to obfuscate some.
So I guess a doctor node [INAUDIBLE],, if the news is a wee bit bad, they might want to sort of write that down.
The patient doesn't understand that they're going to die soon.
The other [INAUDIBLE] our examples, I guess in the United States you guys have things called riders on legislation today.
So maybe it's some that's a wee bit controversial.
So what they'll do is they'll stick it at the bottom of maybe a very, very big bill [INAUDIBLE]..
There's sort of many things.
Ray Mavis was talking about yesterday that someone he knows is getting some stuff through, and how all this jargon, kind of, like military terms, and the person writes back English.
He sends it back.
Well, what he is assuming is that that person wants them to understand.
Maybe they don't.
So I'll go through what I think is a sort of historical example of it.
So this here, the British in World War I invented the dazzle camouflage.
The Americans call it the razzle dazzle [INAUDIBLE]..
And the concept of this is, instead of trying to camouflage your ship, make it less visible, what you do is that you make it more difficult for the enemy to target it.
So this is the sort of concept behind it.
And what you'd do is you painted all these sort of weird shapes and lines and all, and different colors in it so that the enemy would maybe be confused about the speed of the ship, the class of the ship, and which direction it's going.
And in cases like the number of ships, [INAUDIBLE]..
So there's some crude examples, like in World War II Americans would paint the fake waves on the ships to make them look like they're going faster.
So there's some nice examples here.
This here is an American torpedo boat in World War II.
And I think that's a really nice example.
It's sort of you don't know what's the front, what's the back.
Any points or anyone knows what this ship on the bottom is, or what it even looks like, quickly?
But it is actually the sister ship of the Titanic.
So it is.
And obviously Titanic sank before World War I.
And so it's the only merchant vessel in World War I that actually sank a German sub.
So [INAUDIBLE] one time saw a German sub just floating in the water, decided to steer towards it, and managed to-- I don't think it fully sank, but managed to put it out of action.
And there is some statistics that show that this actually kind of did work.
These ships were targeted more often and sank less, but there's still some debate at whether it's fully effective, because it was only mainly the bigger ships that would have been painted like this.
So they obviously would've been targeted more.
There is sort of testimony from a German submarine captain.
And he said that it was really, really effective when he first looked at it from a distance because of the lines and all.
And so I know these pictures are black and white.
But they have green and blue stripes in it so it looked like water in the middle.
So he said it looked like multiple ships going in right angles to each other.
And so yeah, [INAUDIBLE] whether it's fully effective.
But obviously, we're here for cyber.
So I'll just jump in sort of different techniques.
You know, we'll just go straight in.
So the first one to go for it is encoding.
So one of my co-workers messages me one day saying, hey, I found a sort of weird file.
And she had a YAR rule based around [INAUDIBLE]..
I just said, can you take a look at this file for me?
But it was named after news to with Cambodia.
And so when I opened the file, all I see is this here, and just white space, just empty below it.
So I go back there.
I go no problems.
Nothing to see here.
But when I actually closed the thing, I noticed that the file size was really, really big for what it was.
You're not expecting more than a couple hundred bytes for that file size.
But it was a matter of kilobytes.
So [INAUDIBLE],, but what is it actually?
So I opened the file back up and realized that down in the white space, there was actually hiding this at the bottom.
And if you can maybe see if I stand back here and point, it's on line 139.
So what the person had done, hit the Return key a lot of times just to bring this right down.
I'll go through what the first thing that they made it hard to understand here.
And it's minimum notification.
Again, [INAUDIBLE] 20 times.
But each time I think I get it, I'll screw it up again.
Because for the interpreter to understand this, it doesn't need the node.
You've called your thing array.
You can just call it A.
It doesn't need all these white spaces.
It doesn't care that it reads nicely.
It just needs to interpret it.
So you can sort of make the file smaller and cut stuff down to increase page loading times.
But then, again, it makes it kind of hard to read.
So if I go back to this slide here, we're now going to go into what our first encoding thing is.
Is anyone able to tell me what these strings are here encoded in?
If there's no hands, I'm going to pick on someone.
I'm going to pick on you.
Their hexing code is strings.
And as it runs, it'll pick out elements within this array strings and put them here, because even though these are hex, encoded strings it'll interpret it as strings.
So how do we think about decoding these?
And so there's sort of a nice example there.
But it's all ones and zeroes in a computer.
But when you actually-- it really depends how you interpret it.
You can interpret [INAUDIBLE] hacks so and so on and so on.
But sort of I would want to decode it.
So if I grab this in my clipboard here, [INAUDIBLE]..
And I will bring up my first tool [INAUDIBLE]..
So my tool is called Cyber Chef.
And Cyber Chef was made by the GCHQE within the United Kingdom.
They made it available for everyone to use.
So you can go onto the website to use it.
Or you can get the GitHub link to clone it.
So you can.
So you have your input here, I put.
And then you're able to perform operations on it.
Hopefully you can see so that it's not too cut off there.
But what I'm able to do is I'm able to paste this into my input, or press the On button.
So I'm able to paste this here.
And since we identified that this is hex encoding, I'm able to search here and go from hex and pull this over.
And what I'll do so I'll take my deliberate.
You can start to see that we're actually starting to decode some of these strings here.
But it still looks pretty messy.
It's kind of hard to see.
We can maybe see a URL here.
Like what is it going on?
So a nice thing that I like to do for this is I like to actually put it into a Python interpreter.
Because since this is just an array, if you take this and stuck it straight into Python, it's able to be interpreted as a list.
And so my second thought, this is a Py charm.
You can buy licensed versions, like what you have.
Or there is a community additions as well if you want to talk about it.
But so I just piece it down there.
And I can stick a break point on it.
If I run this and place a break point here, you'll see that it's able to interpret the strings in here.
I wish I could sort of make the font bigger for you guys there.
But if you can see that it just went and decoded all my strings.
And what it's really nicely done is that it's even kept the positions that way.
They have a really nice, beautified version of the script.
And I guess the main thing that I got here is this one here.
It's sort of string number three.
This here was the shell command that it was actually running.
And so this is actually sort of a de-obfuscated version of itself that it was putting in the start up folder to maintain persistence.
And you'll see down here that this was the C2 address here.
I don't know if anybody's from iDefense or Accenture here.
But they've done a really good talk last year on ModCarp, which is this group, or probably more commonly known as temp Periscope.
Or actually, they've gotten Epitanium now 40.
They're not a temp group anymore.
But what this has done was it went out to the C2 that we found there.
And it decodes it.
And I don't want to actually spoil my phone [INAUDIBLE]..
This was sitting on the C2 server.
And I guess if you also want to call this obfuscation, if you were to visit this in a browser, it just looks like a completely white page, completely blank.
So it does.
But if you were to actually look at the source, the KM, it's an empty body with a comment in it.
The comment's not actually rendered on screen.
But it just has this big string on it.
And the string just kept going and going.
So, again, I'll come to my second encoding here, which I believe I almost spoiled in the last slide, but can anyone recognize this one?
Thank you very much.
So again, I have this in my clipboard in a second.
And again, you can use multiple things, like I can use Cyber Shelf as well.
But since I have this up here, you can use base64 in your Mac.
So [INAUDIBLE] EPS just to [INAUDIBLE]..
And I can pipe that into base64 dash capital D.
And that's the decode thing.
And then I can, say, pipe that out to a file.
So that's enough, but we'll just take a look at that file.
So what we actually have here is the second stage.
And the second stage, we find it along the same time as fire ID.
But we didn't actually give it a name.
I call this one Eviltech, I believe.
And it's a really, really simple backdoor.
And it takes four commands, of which only three work.
But it doesn't really matter, because sort of the [INAUDIBLE] commands, it will cover it for them.
And then there was another command sort of half implemented to execute shell commands.
But they didn't fully implement it.
It would just do nothing [INAUDIBLE]..
It's able to use ActiveX objects to execute shell commands.
So it didn't really matter that the other one worked.
So this wasn't actually the persistent thing.
The persistent thing was the other one that you saw, which the downloader they put in the startup folder.
And so the name of the previous one's called [INAUDIBLE]..
And I think it's quite popular.
Used by us.
So if I come back, and there's just a nice beautified version of it.
What I find quite nice is that they didn't minify this one for me.
They made it a little nicer.
When you do decode it, you can read it pretty easy off.
When we are probing into the C2, I don't think these guys are hugely sophisticated.
So when [INAUDIBLE] APT 40, I think this should have left out the advanced part, I would say.
The sort of multiple other C2s were left open to directory listing.
And you could just go on to their C2s and download everything they had.
They had victim data.
They had sort of tools, utilities, different malwares, sort of different versions of the same things, payloads.
Everything, there was a bonanza.
So they had the scam box on [INAUDIBLE] everything.
So this file here was called the news.js.
It writes out a partial file.
And so you see it writes all these lines to it.
And so we can actually go through and see how we can decode this, because with the other ones we just got the body of text and then decoded in itself.
But say where it has this.
And I'm not sure if you guys notice.
But within the hex, there is non hex characters.
They did this thing here where they will split out the body of text and then join it back together.
So essentially these splits are like, it will remove all the S's, remove all the zeros, remove all the explanation part, so on and so on, until you're left with just pure hex, which then it'll turn back into a normal string.
So again, I'll bring up a Windows VM that I should hopefully have [INAUDIBLE] about here.
And I'll bring up my partial.
So actually I have this file sitting here.
This is my snippet here.
I'll just open this up in the text editor at my account.
[INAUDIBLE] it's small.
So inside the font size looks small.
I can [INAUDIBLE].
So what you have is, if I were just [INAUDIBLE],, this first line here is the hex encoded stuff.
Then the PS64 encoded stuff.
Then the decimal encoding.
What it does is it just determines if it's a 32-bit or 64-bit thing, and then executes.
So it'll take the string and run it as if it's code.
And so but this string actually decodes itself, as we're seeing.
So is there a way that we can do this?
If we go to the far side of the file-- let me try to move this over a bit [INAUDIBLE]..
There we go.
If I come to the end of the file, you'll notice at the end that it executes it in a way like this.
So this is Amf [INAUDIBLE].
In the end it grabs out elements from the result of this and enjoins it into a string.
And so if I just show you what [INAUDIBLE] looks like-- I can probably have it here-- it's just an environment variable that specifies my command prompt.
And so when we think of, are we running this with CMD.exe?
What it actually does is it grabs the fourth [INAUDIBLE]..
So it starts 0, 1, And then I'll just do the rest.
So 26 is a.
So it goes a, x.
It's invoking the expression as well.
And sort of what I think they're thinking is that if someone is looking at this, they're going to be looking for IEX.
But they've even obfuscated that.
So if we want instead, we can change this into writing the output, if I can get back in there.
So instead of executing it, just print it out to the console.
And I actually have another one just down here.
[INAUDIBLE] And yep.
That'll do it for me.
So if I save this and then come back into my partial thing, I can run this file which will actually decode itself for me.
So now I have the de-obfuscated partial command.
And I'll just sort of quickly go through what this does.
All the PS64 stuff that you saw up there is actually assembly code.
And it opens up a running program in a running process, and injects that assembly code into that process.
And then it executes in [INAUDIBLE] of that [INAUDIBLE].
And it executes the thread there.
So it's doing process injection sort of to hide this executing code.
So that's nice.
Instead of letting it evaluate the expression, you can do a console [INAUDIBLE] dialogue out.
I don't know if anyone's ever looked at any sort of mage card groups stuff.
But they do all this sort of crazy obfuscation.
And you'll see it hopping down ASCII values [INAUDIBLE]..
But at the very end, it says eval.
I don't even care about all what that says.
I'll just change out the console log.
Oh, I made this nice little GIF.
So it's doing everything.
But you can just-- problem solved.
So another sort of encoding that I'll go over is exclusive OR, or XOR we're coming on.
So this is sort of the basis of a lot of encryption.
So it is.
And a very simple way to go for it is a 0 and a 0 equals an output of 0.
A 0, 1 equals a 1, 0, equals So I guess if you want to say, it has to be one or the other [INAUDIBLE]..
And the nice thing about this is that sort of if you have a key, what you put in if you take the output of that and put it back in, you'll get the same thing out.
And that's where you can see that a lot of spaces for encryption come.
So I sort of have that string just sitting on there.
And if I can grab it in my clipboard here-- and, again, I'll probably use Cyber Chef, or this one.
If I take that out, you can do the XOR operation here.
And I put my key there, which was hex [INAUDIBLE]..
You see that hello to tag 19.
And again, I'll re-iterate there that if I move my output to input, I get that.
I can move back and forth.
So using the CM key gets the CM result of this.
And I'll go through just one more thing.
If you XOR something with itself, the output is 0, because if you line that out in binary, the 1s and the 0s align.
So it's not one or the other.
It's going to be the exact same.
So I'll just show that quickly.
If I put the letter a here, and I XOR it, again with the letter a, I'll just show you the hex output.
You'll see that that's 0.
But if I XOR anything with And that's sort of you'll see where I'm going with this in a second.
So if I put 0 there, you'll see that I get 61, but that's the ASCII value for a [INAUDIBLE]..
So one day my co-worker finds a GIF.
Oh! So one day my co-worker [INAUDIBLE],, he sort of sends me a GIF one day.
But for some reason, his GIF seems to be slightly malicious for some reason.
So we'll go take a look at this actual GIF now.
So we will.
So we'll take a look at the actual contents of the file.
Or we'll take a hex dom.
So if I bring this over here-- I'm just going to clear that first.
So I have that GIF sitting there at profile two it's called there.
If we take a hex dump-- and, again, the tool that I'm using now is XXD, it's called.
This is in all sort of Linux and Mac computers.
And if we do that and then pipe it out-- oh, sorry.
[INAUDIBLE] specify the file first.
If I pipe that out to the last command-- it just keeps me up at the top of the file-- I can see what the contents actually are.
So to anyone that spends their time on hex dumps, this looks very odd.
I don't know how many of you guys just sit and read this all day.
I know some people do.
But it looks slightly odd.
So it does.
And what we'll maybe do is we'll take a look at what a real GIF looks like.
So I have a really cool GIF of SpongeBob.
And actually, what I'll do is I'll just, with my finder over here, just so you can see what the SpongeBob GIF sort of looks like there-- so I've got SpongeBob there.
But if I bring my profile two GIF there, it doesn't quite seem to render [INAUDIBLE] way.
So we'll take a look at SpongeBob here.
And so this is what the format of the file looks like.
The main thing that I want to point out is it says GIF or GIF up in the top corner here.
And what's important about this is what we call this in sort of computing is a magic number.
And these are used to sort of specify the file format.
It's not like this But so all the GIF files should have these bytes at the start.
PDFs will have PDFs and a file version to start.
And zip files will have PK at the start, which is the initials of the guy that created the format.
So you sort of notice that our cool GIF that we had there does not appear to be a GIF.
So one thing that can be quite nice to do is if we want to look at the most common byte that we have in the file, do a bit of a [INAUDIBLE] distribution on it.
So I made this nice batch command for me.
What this batch command does is it prints out a hex dump of all the bytes.
And it sort of puts it into a list.
And then it counts them with column bytes and then sorts it out.
So if I do that on my profile GIF, you'll see that the most common byte that I have here is AA.
So [INAUDIBLE] minus got what?
Over three times the amount of bytes as the next one here.
And what I'll do is I'll do this on a different file.
I have an executable sitting here.
And I'll also run the same command.
You'll see that the most common byte is the null byte, and usually [INAUDIBLE].
So if anyone's able to remember back to what I was saying.
If you [INAUDIBLE] anything with itself, you get 0.
So hypothetically, if I wanted to change this file with a key, perhaps, and make the most common byte in the 0, does anyone know what my key would be then?
[INAUDIBLE] Thank you.
So I can solve this out.
So since I want to turn this into null, if I XOR the file with AA, will we find something interesting?
So I'm going to go into my next tool, which is XOR Search and XOR strings.
I forget who made it.
But I can bring this up here.
I'm on my desktop now.
So I'll use these strings first.
And the XOR strings means I can specify [INAUDIBLE] 0XAA and operation on that for XOR.
And I can also save the file out.
So I'll do that.
And I'll run that on my profile GIF there.
And you'll see that it's actually already went and printed out some strings.
But more importantly, that just dumped that file out to the desktop here.
And I'll open this up in a hex editor.
And so, again, anyone who likes to look at hex dumps, can they tell me what type of file this is?
It's a Windows portable executable.
So it's not a GIF at all.
So again, North Korea tried to pull one past us.
But not that easy.
But what if we have not the whole file encoded in XOR, but maybe just some strings inside it.
Because it's very, very common for strings within it to be hidden, but not the actual binary itself, decoding at runtime.
So that's where I'll go into XOR Search here.
And what XOR Search is that you're able to go and find sort of maybe strings that you're looking for within a file.
And it's able to kind of brute force them and put them out.
So if I do XOR Search, and I want [INAUDIBLE],, I'll use [INAUDIBLE] GIF, I'd want to find, say, any string that matches HTTP.
I'll print that out.
And what you actually see is that with XOR encoded AA, I have a couple of C2 addresses here.
So maybe one program is more useful than the other, depending what you want to do, you're sort of nature of the file.
I guess if you also want to do it, you can also use XOR strings to try-- oh, XOR strings.
[INAUDIBLE] XOR Search to try to find portable executable headers.
[INAUDIBLE] It's very hard.
So you'll see that what is it it will do is this program's also able to find the header for a portable executable.
Again, found with the other.
And I'm going to give you a clue as to what the file is encoded in.
So [INAUDIBLE] through.
[INAUDIBLE] That there is what my find common bytes command looks like, sort [INAUDIBLE] if anyone wants to take a photo of that or contact me at the end.
I also have a nice one, just for if you can see distribution, but will not go in this now.
What I'd just done was I grabbed the head of the file and then chucked it into Cyber Chef, and you were able to see sort of visually what the most common byte is, which is 170 here, which is the AA byte.
So here we go.
So we'll maybe get a bit less demo heavy on it, and sort of get something that's quite fun.
So one that's quite popular, quite well known is JJencode.
You can go on the websites like this online and take a look.
And [INAUDIBLE] can use this if they want.
We have seen [INAUDIBLE] Periscope actually use it for APT 40.
But there are decoders online.
So you can use it if you want, but it can probably easily be [INAUDIBLE].
My favorite probably would be the AAencode, which it changes your code in the Japanese emojis.
It's absolutely fantastic.
So this is actual code that can be run.
I'd much sort of prefer to see this as an [INAUDIBLE] horror stuff code.
And [INAUDIBLE] I've had to do some nice censorship here, because it's a family friendly conference, I believe.
Or it's not the DEFCON.
So I'm going to call JSExpletive for this one.
And the sort of way that this works I believe is that you're able to chain up sort of list things, and then add not operators do it.
And you're able to get true and false out of there.
And then you can sort of chain this up the chop ladder side, and then build up the sort of string that gets evaluated.
And that's how that works.
So another sort of way of sort of [INAUDIBLE] code-- and this is maybe a bit like the riders in the legislation-- is to sort of have the important stuff hidden in a mound of Hover.
So one day we get some feedback.
I sent this on our feedback@anomali thing.
You guys can also give feedback to this address.
You can send malware if you want, because it goes to me.
We got this file sent this.
And actually, you can see that the Gmail has already flagged this up.
Gmail's pretty good at finding malware [INAUDIBLE],, but I guess what was sort of easy about this one is it was sent from the Knackers botnet, which I imagine is quite heavily researched.
So we have a file down here.
So if you take a look at it, if you ever see a file that says, Enable [INAUDIBLE],, Enable Content, does anyone know what it might have inside?
So just totally Macros.
So what tools can we use to analyze sort of stuff with Macros?
So there's a suite called OLE Tools.
And we'll sort of come back here.
Since we're on desktop, I should hopefully have the similar desktop.
I have to have my antivirus [INAUDIBLE]..
It keeps [INAUDIBLE].
And it says, hey, you have malware.
Stop [INAUDIBLE] on me.
It's like, I want to run this.
But that looks like it's still switched off.
So you can use OLE ID, which is a very simple one, which [INAUDIBLE] sitting there.
And it'll just do some sort of simple triage for you.
But more importantly, VBA Macro is true.
So if I want to extract these VBA Macros or take a look at them, I'm sort of going slightly-- I'm almost at the But I'll try.
I'll try to speed it up a little bit.
If you can use OLE VBA, preferably not in caps, so it's went and [INAUDIBLE] out all the code here lovingly for me.
And since we're kind of constrained for time, I'll not go through this all.
But what this does is that it's building up a lot of strings here.
It's turning stuff.
The Hopper key is combining different strings.
You'll see [INAUDIBLE] made this like a substring command within Visual Basic.
But the part that's actually junk code about this is that all these things that you see array [INAUDIBLE],, these are never actually used.
These are all just put in to sort of screw with you so that you had to take all your time going through all these, without realizing that this is a relevant string that's used.
But this is not.
This is not.
And sort of you would have to go through.
Again, you'll see that when it [INAUDIBLE] opens here is all these strings are not used.
But this is a function that's called, which is the one up here.
And you can see [INAUDIBLE] that there is actually some partial code up here, which is also obviously given somewhere.
But again, we'll not go through it right now.
[INAUDIBLE] my time.
But what it'll do is it'll dump out all this partial code and then execute it here with VBA Shell.
A program that I recommend-- I'll open it up now-- is VBS Edit.
Again, you can get a license or you can execute a VB script inside it.
Or you can actually get an older version of Microsoft Office to execute it for 2010.
So a bunch of us then.
I don't think you can do it with a newer version.
It's cause they want you to pay stuff for it.
And if you're sort of booting up VMs and [INAUDIBLE] a bit of a mess.
So you can get something like this instead.
One day, I quite like watching these scam bearing videos.
Have anyone seen them?
Sort of tax scammers now?
And you'll have people calling them up and just sort of screwing with them, just to kind of waste their time.
Because sort of many prey on vulnerable people.
And so you'll get people doing all this stuff, like they'll say I have a problem with a Windows PC.
But they'll give them like Ubuntu or something to play with.
And you'll see that a lot of these tax scammers, they're script is completely filled.
And I don't know how to use this.
But they still try to tell them that there's a problem with it so that they can pay out money, [INAUDIBLE]..
So I was watching a Northern Irish YouTuber.
And in one of his scam baiting things, a tax scammer drops this application on to his virtual machine, [INAUDIBLE] this network protection thing.
And so I decided just to take a wee look at it.
And what it is is that it's a sort of file infector malware.
I didn't actually make my full way through doing the reverse engineering.
You'll see why in a second.
So as I was going through it, I used X64 debugger [INAUDIBLE]..
And the person who made it started to have a nice conversation with me about RC helicopters for some reason.
So he says, RC helicopters are, I'll say the bomb, but it was a word [INAUDIBLE].
So he says, RC helicopters.
Am I right?
Am I right?
I go, yeah.
And he goes like, are you?
And then he gives some nice advice later on.
He says, turn off the television, as it is only a flashing box distraction from life.
It's quite nice.
[INAUDIBLE] I sort of closed down my laptop and [INAUDIBLE],, you know what?
Good advice, man.
I'll turn off all my screens.
So I would actually really like to see how much time you can waste for analysis by giving them either a load of junk code like all these strings that do nothing, or inserting a lot of jokes.
I imagine the jokes actually take up more of their time.
And so with that, since you don't have very much time-- oh, sorry, yes.
They also drop this file.
I don't know if you want to call this obfuscation or not.
But it dropped an exe file, a bit like my GIF earlier.
But when you look at it, it's just RC helicopters for the win.
Thank you very much.