TTPs, Control Flow, and Exposed IOCs

As part of the ongoing analysis of the KorPlug malware family, this second installment focuses on the complex second-stage payload, expanding on earlier discoveries of DLL side-loading methods that use legitimate programs to execute code initially.

The payload, a malicious DLL with SHA-256 hash b6b239fe0974cf09fe8ee9bc5d0502174836a79c53adccdbb1adeb1f15c6845c, measures 638,976 bytes (624 KB) and is structured as an x86 PE file.

KorPlug’s Obfuscated Second Stage

Static analysis uncovers that the Initialize function, triggered by the loader, features a highly anomalous Control Flow Graph (CFG), riddled with obfuscation that thwarts both disassembly and dynamic tracing.

This report outlines advanced reverse-engineering tactics to dismantle these barriers, exposing KorPlug’s execution mechanics and providing actionable intelligence for threat hunters.

Recalling the terminal phase from the initial analysis, the decoded payload mimics a standard DLL but employs shellcode-like execution via the EnumSystemGeoID API, redirecting flow straight to the Initialize function and bypassing Windows’ conventional loading safeguards.

The CFG’s complexity stems from O-LLVM, a customized LLVM compiler variant notorious for deploying control flow flattening, bogus branches, and instruction substitution to evade detection and analysis.

These techniques flatten logic into switch-style dispatchers, insert misleading code paths, and complicate instructions, elevating reverse-engineering hurdles.

Evaluations of open-source deobfuscators, including MODeflattener, highlighted their limitations against this sample, necessitating custom adaptations for effective processing.

CFG Reconstruction

To penetrate the obfuscation, analysts categorized CFG components systematically: the pre-dispatcher block, identifiable by its high predecessor count and simple jump to the initial dispatcher.

The dispatcher itself, which manipulates a state variable to resolve execution paths; backbone blocks enforcing variable checks via JMP, MOV, SUB, and JZ sequences; and relevant blocks housing core malware logic, divided into simple (hardcoded MOV assignments) and conditional (CMOVZ-driven) types.

Tail blocks, mere transitional jumps, were flagged for removal. This classification enabled mapping state variable assignments to legitimate jumps, revealing predetermined sequences that maintain malware functionality amid the flattened structure.

Leveraging Python with the angr framework, the deobfuscation script automates block enumeration, state value cataloging, and binary patching.

It replaces obfuscated jumps with direct or conditional instructions, pads with NOPs to preserve alignment, and excises unnecessary dispatcher and backbone elements, yielding a streamlined CFG that mirrors the original logic.

This approach not only demystifies KorPlug’s behavior such as variable-driven transitions enabling modular execution but also adapts to similar O-LLVM threats, surpassing tools like MODeflattener through generalized pattern recognition.

Post-patching, the malware’s tactics, techniques, and procedures (TTPs) become transparent, aiding in vulnerability assessments and threat intelligence.

This methodology unmasks KorPlug’s sophisticated evasion, empowering defenders to counter flattened control flows in evolving malware landscapes.

While sample-specific tweaks were needed for existing tools, the angr-based implementation offers a robust, extensible framework for broader application.

Indicators Of Compromise (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!