Obfuscated Code

ID

obfuscated_code

Severity

high

Resource

System

Tags

evader

Description

This detector looks for generic obfuscated code evidences.

Usually obfuscating code is an evidence of a potential malware trying to remain hidden.

These are the specific evidences checked:

  • Code entropy: It’s a measure of the information density or average level of information contained in a given string, measured by using the Shannon’s Formula.

    Uncommonly high occurrences of obfuscated strings are atypical in benign software. By comparing this entropy against non-malicious code entropy, evidences of malicious behavior may emerge.

var pudedsediqhytifcetequcefkynusypmymravadymniputatochuwgosewakhotagpikifzohefnohwabujgugivugcicykhovdabe = ["ML2"];
var letkogunquqpycyqwohvekmadxazgitcirybazoqiluvememysimmeffagewehnencanmuluvmerywbufyksexfijavtomeziqinmurqo = ["WSc"];
var ahqanegqagaxatebytiqcyxhervebyhamynussinyfzoxwanzabzabebpedzoccogpeneluponopteknimwextejowyjowdyrimrogzivnehp = [-57, "ve", -58];
var yjpyxomubynezaxesihikkizmycdimkuxbudcypoqwegoxrapgyckexgucxujkizifovozkiheropuhwuvajiryhbivkapivawusbudpu = [-87, "eam"];
var vxaskuzfijmojicyropsuqephoreqolvawizidavunwivbajupjesavyhwabjubqidfugaxugyzytucutuqpoxidejgaxavhithojgaxu = [-48, "Scr", -98];
var wbodyhocesosgoccymwuzfegsyrafkutladjekigvymvarhiqcogystenmeppatzilfuvakozvutnukepzafodzodjujferhugoxqidyga = ["Op"];
var urkohcicxisqojiphygilydumitminefcofvelnosdacitofpozbezimehmezwebjytekzanrywgipycejzyhopikosoraqrufzikiguca = [-46, "To"];
var raffihkuqcyleripifwixepisnittekkotxylaturepiftihvipuzdixjusunifrudjytvehhebelysumibxepaslygsuzbacgafa = ["Spe"];
var neryphoruhihurelvurjiqxyqwifywuddawifizarohdovafifuvizovbukdykqaxdizodyhrudysosgykysmoltesvutkacezhefcufavw = ["eni", 7];
var itehisymqodlelyvisbinlegnibuzipzokvyrgocilewmobycqybozcexepoqqeclexvasranacudychyvtebylekajujekpuzyryqo = ["e"];
var kubutexhumtewybajeptyvehjodticenduzqatnehyfboxymmyzyhokjuzusetnospenazognytnevytunciqajqaddosogibzete = [87, "Str"];
var ctespusixariswafikiqikiregxejtyvophorvafivwykepcalagxemysqemiquluqbaqgoruwqecfivteduzses

  • Dynamic access: Usually malicious code tries to obfuscate what it’s doing. Not just when invoking critical functions, but also in a more generic manner, so the obfuscation looks heterogeneous along the code.

let req = new XMLHttpRequest();
var array = [
    "p", "1", "odjlkjdklsa", "o", "lkjkjfjhklfdsf", "14.4", "r", "ActiveX", "pe", "21212", "", "", "op", "", "", "n"
]

req[array[3] + array[8] + array[15]](GET, url); // Performs a request in an obfuscated manner

  • Proxy functions: Another obfuscation technique is to sparse the execution of the code between many other tiny functions that take the act as a proxy between the caller and the callee. Usually, the functions reassigns its value in the self body, pointing to another function that contains the actual logic to be executed.

    Also, it’s common to access Array or Object literals that contains a collection of literal to use as object/ module accessors, URL literals,…​etc.

function a0_0x18be() {
    const _0x569229 = [
        "getServers",
        "length",
        "toISOString",
        "https://ipinfo.io/json",
        "dns",
        "family",
        "version",
        "4675194jUfrOk",
        "mac",
        "querystring",
        "parse",
        "130dOJewb",
        "stringify",
        "POST",
        "00:00:00:00:00:00",
        "8YENhQx",
        "get",
        "networkInterfaces",
        "./package.json",
        "USERDNSDOMAIN",
        "argv",
        "username",
        "linux",
        "app.threatest.com",
        "stdout",
        "/report/",
        "https",
        "error",
        "VMware\x20Virtual\x20Processor",
        "700499BSVzRr",
        "end",
        "cwd",
        "config",
        "1538duqKJF",
        "40844cYuCPL",
        "vendor",
        "id_rsa",
        "name",
        "address",
        "userInfo",
        "3093WuGUUO",
        "125MQQPyg",
        "forEach",
        ".kube",
        "/dev/kvm",
        "data",
        "QEMU\x20Virtual\x20CPU",
        "env",
        "1193918ESZOmQ",
        "log",
        "internal",
        "keys",
        "child_process",
        "cpus",
        "request",
        "join",
        "basename",
        "___resolved",
        "readFileSync",
        "existsSync",
        "4120872glvxZG",
        "943551yACLWg",
        "homedir",
        "write",
        "This\x20script\x20can\x20only\x20be\x20run\x20from\x20index.js",
        "includes",
        "VirtualBox",
    ];
    a0_0x18be = function () {
        return _0x569229;
    };
    return a0_0x18be();
}

function a0_0x8b5b(_0x332b81, _0x50fcce) {
    const _0x18be71 = a0_0x18be();
    return a0_0x8b5b = function(_0x8b5b5d, _0x4bceb5) {
        _0x8b5b5d = _0x8b5b5d - 0x111;
        let _0x2ace20 = _0x18be71[_0x8b5b5d];
        return _0x2ace20;
    }, a0_0x8b5b(_0x332b81, _0x50fcce);
}

Rationale

Detecting malicious obfuscated code is crucial for maintaining the security and integrity of computer systems. Obfuscation refers to the deliberate act of making code more difficult to understand, which is often used by attackers to evade detection by security tools. Here are several reasons why detecting malicious obfuscated code is important:

Evasion of Signature-Based Detection: Traditional antivirus and intrusion detection systems often rely on signatures or patterns to identify known malware. Obfuscation can alter the appearance of the code, making it challenging for signature-based detection mechanisms to recognize malicious patterns.

Stealth and Concealment: Malicious actors use obfuscation to hide the true intent of the code. By making the code difficult to decipher, attackers can conceal their activities from security analysts, making it harder to identify and analyze malicious behavior.

Anti-Analysis Techniques: Obfuscated code can include anti-analysis techniques that specifically target security researchers and automated analysis tools. These techniques aim to thwart efforts to reverse engineer or understand the functionality of the malware.

Polymorphic Malware: Obfuscation is often a component of polymorphic malware, which dynamically changes its appearance with each infection. This variability makes it challenging for security solutions to create static signatures, requiring more sophisticated detection methods.

Related Malware campaigns

This is a common feature that could be broadly found among malicious code. However, we can enumerate some popular variants using this technique:

  • PoisonIvy stands out as a widely utilized remote access tool (RAT) employed by various groups since its initial appearance in 2005.

  • Hydraq originated as a data-theft trojan first deployed by Elderwood during the 2009 Google intrusion, recognized as Operation Aurora. Numerous iterations of this trojan have since been utilized in more recent campaigns by different Chinese actors, potentially including APT17.

  • The 2016 Ukraine Electric Power Attack denotes a campaign by the Sandworm Team, utilizing malware to target and disrupt distribution substations within the Ukrainian power grid.

  • Pretty common among NPM malicious packages campaigns. Seen this in @ks-radar/radar, @am-fe/utils, @expue/vue3-renderer …​and many other packages.

References