The main function is always quite long, because of junk code and often because of loop unrolling. As a consequence, creation of static rules for detection gets quite complicated if someone wants to cover the majority of samples.Īfter seeing some samples it is possible to quite easily estimate which function is the main function. Differences vary between big ones like completely different API function calls in the junk part of code or small ones like those that use different registers and local variables in a cycle which seem the same. Each one of the analyzed samples had a unique main function. UniquenessĪfter finding this main function in multiple samples there is the first obstacle – uniqueness. The easiest way to find this function is to check cross references to the CreateEventA API function. Even though the first layer includes usually at least a few hundred functions, there is always one long function (let’s call it main function) with a lot of junk code but it also includes following functionalities which are important parts of OnionCrypter: A service like this is frequently advertised as a FUD (fully undetectable) crypter. Based on the uniqueness of the first layer it is also safe to assume that authors of OnionCrypter offer the option of a unique stub file to ensure that encrypted malware will be undetectable. We believe that likely the authors of OnionCrypter offer it as an encrypting service. Its widespread use and length of time in use make it a key malware infrastructure component. In the last three years we have protected almost 400,000 users around the world from malware protected by this crypter. This includes some of the best known-most prevalent families such as Ursnif, Lokibot, Zeus, AgentTesla, and Smokeloader among others. Most interestingly, we have found that OnionCrypter has been used by over 30 different malware families since 2016. This can help malware analysts because seeing samples like these might get confusing and overwhelming at first not only for humans but also for dynamic analysis sandboxes. This blogpost covers most of the techniques OnionCrypter used to complicate analysis and breaks down its structure. It’s important to note the name reflects the many layers this crypter uses, it’s in no way related to the TOR browser or network. Because of this we are calling it “OnionCrypter”. One of the key techniques this crypter uses is multiple layers of encryption. The crypter discussed in this blogpost uses a combination of multiple interesting techniques that make it hard for analysts and for proper detection. This stub looks like an innocent program, it may also perform some tasks which are not harmful at all but its primary task is to decrypt a payload and run it. A crypter encrypts a program, so it looks like meaningless data and it creates an envelope for this encrypted program also called a stub. One possible solution for this are crypters. One of the goals of malware authors is to keep their creation undetected by antivirus software.
0 Comments
Leave a Reply. |