Uncovering .NET Malware Obfuscated by Encryption and Virtualization
1 min read
Summary
An increasing number of malware samples are using obfuscation to thwart static analysis by antimalware sandboxes
Self-deleting payloads, multi-layer encryption and virtual machine-based obfuscation are observed in-the-wild
Static analysis allows for safer inspection of suspected malware, without directly executing the sample, by extracting configuration parameters through unpacking the observed obfuscation layers.
Automation of this process would allow sandbox analysis to yield crucial configuration parameters.
Malware samples examined use a combination of AES encryption, code virtualization and staged payload delivery to impede static analysis.
Analysis reveals the presence of markers in the malware code to locate encryption keys, and also a second stage of obfuscation based on the KoiVM virtual machine.
The final payload is executed via .NET reflection, with configuration parameters stored in encrypted resources in memory.
Network security solutions like Cortex XDR and XSIAM can prevent these samples from executing, to protect users and networks.
