Defeating APT10 Compiler-level Obfuscations
2019-10-23, 17:20–17:40, Europe

Compiler-level obfuscations like opaque predicates and control flow flattening are starting to be observed in the wild and will be a challenge for malware analysts and researchers. Opaque predicates and control flow flattening are obfuscation methods used to limit malware analysis by defining unused logic, performing needless calculations, and altering code flow so that it is not linear. Manual analysis of malware utilizing these obfuscations is painful and time-consuming.

ANEL (also referred to as UpperCut) is a RAT used by APT10, typically targeting Japan. All recent ANEL samples are obfuscated with opaque predicates and control flow flattening. In this presentation I will explain how to automatically de-obfuscate the ANEL code by modifying the existing IDA Pro plugin HexRaysDeob. Specifically the following topics will be included.

  • Disassembler tool internals (IDA Pro IL microcode)
  • How to define and track opaque predicate patterns for the elimination
  • How to break control flow flattening while considering various conditional/unconditional jump cases even if it heavily depends on the opaque predicate conditions and has multiple switch dispatchers

The modified tool can work for most obfuscated functions in the tested samples. This implementation can deobfuscate approximately 92% of encountered functions. Additionally, most of the failed functions will be properly deobfuscated in IDA 7.3. Sharing the experience and knowledge of the implementation with the community will be valuable as threat actors other than APT10 may also start to use the same obfuscations.