Obfuscated Code Execution

ID

obfuscated_code_execution

Severity

high

Resource

Execution

Tags

evader

Description

This detector looks for obfuscated code execution evidences. Usually obfuscating code execution is an evidence of a potential malware trying to remain hidden.

Particularly, this detector looks for obfuscated invocations to functions executing code, like eval or child_process.exec for JS code.

var edeb = WScript;
var cqorobcit = edeb.CreateObject('WScript.Shell');
var jqutzo = "cmd.exe /c";
var tdurot = "run";
cqorobcit[tdurot](jqutzo, 0);

Also, the non-obfuscated invocation of these functions with obfuscated arguments is checked.

require(a0_0x8b5b(0x1c6)) (1)
1 Where a0_0x8b5b is a function that returns the module to require

Rationale

Detecting malicious obfuscated code execution is crucial for maintaining the security and integrity of computer systems. Obfuscation refers to the deliberate act of making code more difficult to understand, which is often used by attackers to evade detection by security tools. Here are several reasons why detecting malicious obfuscated code is important:

Evasion of Signature-Based Detection: Traditional antivirus and intrusion detection systems often rely on signatures or patterns to identify known malware. Obfuscation can alter the appearance of the code, making it challenging for signature-based detection mechanisms to recognize malicious patterns.

Stealth and Concealment: Malicious actors use obfuscation to hide the true intent of the code. By making the code difficult to decipher, attackers can conceal their activities from security analysts, making it harder to identify and analyze malicious behavior.

Anti-Analysis Techniques: Obfuscated code can include anti-analysis techniques that specifically target security researchers and automated analysis tools. These techniques aim to thwart efforts to reverse engineer or understand the functionality of the malware.

Polymorphic Malware: Obfuscation is often a component of polymorphic malware, which dynamically changes its appearance with each infection. This variability makes it challenging for security solutions to create static signatures, requiring more sophisticated detection methods.

Related Malware campaigns

This is a common feature that could be broadly found among malicious code. However, we can enumerate some popular variants using this technique:

  • PoisonIvy stands out as a widely utilized remote access tool (RAT) employed by various groups since its initial appearance in 2005.

  • Hydraq originated as a data-theft trojan first deployed by Elderwood during the 2009 Google intrusion, recognized as Operation Aurora. Numerous iterations of this trojan have since been utilized in more recent campaigns by different Chinese actors, potentially including APT17.

  • The 2016 Ukraine Electric Power Attack denotes a campaign by the Sandworm Team, utilizing malware to target and disrupt distribution substations within the Ukrainian power grid.

  • Pretty common among NPM malicious packages campaigns. Seen this in @ks-radar/radar, @am-fe/utils, @expue/vue3-renderer …​and many other packages.

References