ESET researchers bring unique obfuscation techniques to light, aiming to help the cybersecurity industry improve protection against sophisticated threats.
BRATISLAVA – ESET researchers have analyzed and described in detail several techniques used by malicious actors to thwart analysis and avoid detection of their malware. These custom obfuscation and detection evasion techniques were discovered in the course of the investigation of a new module used by the cybercriminals behind the Stantinko botnet.
“The protective techniques we encountered during our analysis are more advanced than the malware they protect. And some of them have not yet been publicly described,” commented Vladislav Hrčka, the ESET malware analyst who conducted the research.
Among the protective techniques, two stand out: the obfuscation of strings and control-flow obfuscation.
Obfuscation of strings relies on meaningful strings being constructed and only present in memory when they are to be used. Control-flow obfuscation transforms the control flow to a form that is hard to read, as the execution order of basic blocks is unpredictable without extensive analysis.
“We dissect these techniques and describe possible countermeasures against some of them,” added Hrčka.
In addition to obfuscation of strings and control-flow obfuscation, the malware authors also employed further techniques: dead code, do-nothing code, and dead strings and resources. These techniques are meant to prevent detection by making the files look more legitimate; furthermore, some implementations are aimed specifically to bypass behavioral detections.
For more details about the new module in the Stantinko botnet, read the blog post Stantinko’s new cryptominer features unique obfuscation techniques on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defences in realtime to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centres worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit https://www.eset.hk/ or follow us on Facebook.