VB2019 paper: Defeating APT10 compiler-level obfuscations

Posted by on Mar 13, 2020

Obfuscation in malware has long frustrated analysis, and obfuscation at the compiler level, such as opaque predicates and control flow flattening, has been particularly challenging. One group that has been using this kind of obfuscation is APT10, an APT group made famous through a 2018 indictment by the US government in which two Chinese individuals were charged.

Function obfuscated with control flow flattening.

At VB2019 in London, Carbon Black researcher Takahiro Haruyama presented a paper on defeating compiler-level obfuscations used by APT10, in particular in the ANEL/UpperCut RAT used mainly against targets in Japan. In conjunction with this paper, Takahiro also released a tool that can aid analysis in IDA Pro.

Today we publish Takahiro's paper in both HTML and PDF format as well as the recording of his VB2019 presentation.

Have you carried out research that furthers our understanding of the threat landscape? Have you discovered a technique that helps in the analysis of malware? The Call for Papers for VB2020 in Dublin is open until 15 March - submit a proposal now for a chance to make it onto the programme of one of the most international threat intelligence conferences!