{"id":17938,"date":"2020-03-17T20:36:00","date_gmt":"2020-03-18T04:36:00","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/03\/17\/news-11671\/"},"modified":"2020-03-17T20:36:00","modified_gmt":"2020-03-18T04:36:00","slug":"news-11671","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/03\/17\/news-11671\/","title":{"rendered":"VB2019 paper: Defeating APT10 compiler-level obfuscations"},"content":{"rendered":"<p>Obfuscation in malware has long frustrated analysis, and obfuscation at the compiler level, such as opaque predicates and control flow flattening, has been particularly challenging. One group that has been using this kind of obfuscation is APT10, an APT group made famous through a 2018 <a href=\"https:\/\/www.forbes.com\/sites\/thomasbrewster\/2018\/12\/20\/us-charges-two-chinese-nationals-with-hacks-of-45-tech-companies\/\" target=\"_blank\">indictment<\/a> by the US government in which two Chinese individuals were charged.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" style=\"display: block; margin-left: auto; margin-right: auto;\" src=\"https:\/\/www.virusbulletin.com\/files\/cache\/4f478172881b5024678a0bd0019bab48_f4151.png\" alt=\"fig10_cff_overview.png\" width=\"650\" height=\"300\" \/><span class=\"centered-caption\"> Function obfuscated with control flow flattening.<\/span><\/p>\n<p>At VB2019 in London, <em>Carbon Black r<\/em>esearcher Takahiro Haruyama presented a paper on defeating compiler-level obfuscations used by APT10, in particular in the ANEL\/UpperCut RAT used mainly against targets in Japan. In conjunction with this paper, Takahiro also released a <a href=\"https:\/\/github.com\/carbonblack\/HexRaysDeob\" target=\"_blank\">tool <\/a>that can aid analysis in <em>IDA Pro<\/em>.<\/p>\n<p>Today we publish Takahiro&#8217;s paper in both <a title=\"VB2019 paper: Defeating APT10 compiler-level obfuscations\" href=\"https:\/\/www.virusbulletin.com\/virusbulletin\/2020\/03\/vb2019-paper-defeating-apt10-compiler-level-obfuscations\/\">HTML<\/a> and <a href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/magazine\/2019\/VB2019-Haruyama.pdf\" target=\"_blank\">PDF <\/a>format as well as the recording of his VB2019 presentation.<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: center;\" width=\"100%\" height=\"420\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/7RK9Jx5Dcdo\" frameborder=\"0\" width=\"100%\" height=\"420\" style=\"\"> <\/iframe><\/p>\n<p>\u00a0<\/p>\n<p><em><em>Have you carried out research that furthers our understanding of the threat landscape? Have you discovered a technique that helps in the analysis of malware? <\/em>The <a title=\"VB2020 call for papers - now open!\" href=\"https:\/\/www.virusbulletin.com\/blog\/2019\/12\/vb2020-call-papers-now-open\/\">Call for Papers<\/a> for VB2020 in Dublin is open until <strong>15 March<\/strong> &#8211; submit a proposal now for a chance to make it onto the programme of one of the most international threat intelligence conferences!<\/em><\/p>\n<p>outertext<br \/><a href=\"https:\/\/www.virusbulletin.com\/blog\/2020\/03\/vb2019-paper-defeating-apt10-compiler-level-obfuscations\/\" target=\"bwo\" >https:\/\/www.virusbulletin.com\/rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.virusbulletin.com\/files\/cache\/4f478172881b5024678a0bd0019bab48_f4151.png\"\/><br \/>                                 At VB2019 in London, Carbon Black researcher Takahiro Haruyama presented a paper on defeating compiler-level obfuscations used by the APT10 group. Today we publish both Takahiro&#8217;s paper and the recording of his presentation.                <\/p>\n<p>                 <a href=\"https:\/\/www.virusbulletin.com\/blog\/2020\/03\/vb2019-paper-defeating-apt10-compiler-level-obfuscations\/\">Read more<\/a>                                <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[23177,10378,23176],"tags":[],"class_list":["post-17938","post","type-post","status-publish","format-standard","hentry","category-magazine","category-security","category-virusbulletin"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17938","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17938"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17938\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17938"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17938"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17938"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}