Today > vulnerabilities   -   You can now download lists of IOCs here!

LummaC2: Obfuscation Through Indirect Control Flow

Sept. 27, 2024, 1:41 p.m.

Description

This analysis examines a control flow obfuscation technique used by recent LummaC2 stealer samples. The malware employs customized control flow indirection to manipulate execution, hindering reverse engineering and automated analysis. The obfuscation transforms functions into 'dispatcher blocks' that use encoded offsets and indirect jumps to obscure the original control flow. Three main dispatcher types are identified: register-based, memory-based, and mixed-order. The analysis also covers conditional dispatcher logic for loops and syscalls. To deobfuscate, the researchers developed an automated method using symbolic backward slicing to differentiate dispatcher instructions from original code and recover the true control flow. This allows rebuilding deobfuscated functions for analysis.

Date

Published: Sept. 27, 2024, 1:18 p.m.

Created: Sept. 27, 2024, 1:18 p.m.

Modified: Sept. 27, 2024, 1:41 p.m.

Attack Patterns

LummaC2

T1027.004

T1082

T1083

T1055

T1140

T1027