The Latest in IT Security

More 64-bit obfuscator madness


Just after we published a blog about a 64-bit obfuscator, we very quickly discovered another malware family following the same trend. Claretore is also using two-layer 64-bit obfuscation, although it does it a little differently to Ursnif.

The first layer simply decrypts the code of the second layer and passes it control. There’s even a 64-bit anti-emulation trick used in the first layer.

The code snippet is depicted in Figure 1. It calls API GetBkColor() with a bogus parameter (0x3c2c3f2 as hdc in this case) and then it checks whether register r9b (the lowest byte of register r9) has the lowest 2 bits set after this API call.

Figure 1: Code snippet of the 1st layer

Note: On a 64-bit architecture, r9 may be used to pass the fourth integer parameter to a function.

On 64-bit versions of Windows 7, register r9 is used to store the return value temporarily as a side effect in this API. See Figure 2 below.

Figure 2:  Code snippet from GetBkColor()

The second layer decrypts and loads a 64-bit PE file in memory. The loaded 64-bit PE file is detected as Trojan:Win64/Claretore.A.

So, when thinking back to Ursnif – we have two families aiming to accomplish the same goal – i.e. avoiding detection and removal and getting the opportunity to perform their payload – but going about it in quite a different way. This is just another example to illustrate how malware authors are now specifically targeting 64-bit systems with their obfuscation.
Chun Feng
MMPC Melbourne

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments