OpenAnalysis
Sergei Frankoff
Exploring the Impact of Dual-Use Obfuscation Libraries on Threat Intelligence
Code similarity analysis is a fundamental and widely used technique for identifying and attributing malware at the binary level. However, the rising prevalence of open source code obfuscation libraries and their adoption by malware developers impose challenges that must be addressed to maintain the reliability and accuracy of this technique and its associated tools.
In 2022, the leaked Conti ransomware developer chat logs and subsequent leak of the Conti source code, confirmed the use of both an open source string protection library (ADVObfuscator) and an open source code obfuscation library (Obfuscator-LLVM). While these obfuscation libraries had been employed in malware previously, the exposed Conti development process emerged as a defining moment in the malware development ecosystem. Subsequently, the use of open source obfuscation libraries has grown with ADVObfuscator and Obfuscator-LLVM becoming common in ransomware code, and the adoption of lesser known obfuscation projects such as xorstr introducing significant challenges when using code similarity analysis tools.
Our research examines the impact of these obfuscation libraries on popular analysis tools (e.g., Lumina, Bindiff, and Binlex) and the resulting challenges faced by the threat intelligence processes that employ them. To address these challenges, we propose the use of ground truth binaries, which can fine-tune existing tools and processes. Using real world case-studies we will work through the challenges posed by these obfuscation libraries and describe how our solution may mitigates the encountered issues.
Sergei is a co-founder of OpenAnalysis Inc. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis, and producing tutorials for the OALABS YouTube channel. With over a decade in the security industry Sergei has extensive experience working at the intersection of incident response and threat intelligence.