LummaC2: Obfuscation Through Indirect Control Flow
Sept. 27, 2024, 1:41 p.m.
Tags
External References
Description
This analysis examines a control flow obfuscation technique used by recent LummaC2 stealer samples. The malware employs customized control flow indirection to manipulate execution, hindering reverse engineering and automated analysis. The obfuscation transforms functions into 'dispatcher blocks' that use encoded offsets and indirect jumps to obscure the original control flow. Three main dispatcher types are identified: register-based, memory-based, and mixed-order. The analysis also covers conditional dispatcher logic for loops and syscalls. To deobfuscate, the researchers developed an automated method using symbolic backward slicing to differentiate dispatcher instructions from original code and recover the true control flow. This allows rebuilding deobfuscated functions for analysis.
Date
Published: Sept. 27, 2024, 1:18 p.m.
Created: Sept. 27, 2024, 1:18 p.m.
Modified: Sept. 27, 2024, 1:41 p.m.
Attack Patterns
LummaC2
T1027.004
T1082
T1083
T1055
T1140
T1027