Thursday 29 September 2022, 14:30 - 15:00
Georgy Kucherin (Kaspersky)
It has become increasingly popular for targeted malware developers to create custom sophisticated obfuscators that make use of control flow transformation techniques. One such technique is control flow flattening. It basically rearranges lines of code in a chaotic manner, thus making analysis tedious.
While control flow flattening has previously been researched in the context of C and C++ binaries, virtually no attention has been given to unflattening .NET programs. Furthermore, existing deobfuscation software that removes unflattening in C/C++ programs cannot be applied to .NET binaries. That is because .NET code is compiled not to x86 assembly, but to a virtual bytecode called Common Intermediate Language.
Advanced threat actors favour using control flow flattening to protect their .NET implants. For example, this obfuscation was employed in early versions of the Kazuar backdoor. It has also recently been spotted in DoubleZero, a wiper discovered in March 2022 in Ukraine.
In this research, we detail how to remove control flow flattening from .NET binaries, taking the DoubleZero wiper as an example. To perform unflattening, we modify the source code of de4dot, a popular .NET deobfuscation framework. In the paper, we first explain how to restore DoubleZero’s original control flow. Then, we move from general to specific and demonstrate how to add a custom deobfuscator module to de4dot. Afterwards, we describe how de4dot’s block deobfuscation component comes in handy for implementing the unflattening algorithm. Along the way, we give multiple tips on how to use other de4dot’s features.
The paper is accompanied by extensively commented code of the unflattener. It manages to successfully deobfuscate all DoubleZero’s functions. It is possible to use this code as a basis for creating unflatteners of other .NET malware families.
Georgy Kucherin is a junior researcher at Kaspersky’s Global Research and Analysis Team and a second-year student at Moscow State University. He is passionate about analysis of complex malware and reverse engineering. His previous research includes attribution of the SolarWinds attack and a thorough investigation of the FinSpy commercial spyware.