Threat Research

A deep dive into .NET malware obfuscators: Part 1 – ANY.RUN’s Cybersecurity Blog

AnyRun

This article builds a simple .NET obfuscator that hides string literals using proxy functions, per-character splitting, numeric masking, heavy math expressions, and control-flow (CFG) shuffling implemented with dnlib. It then shows how run-time inspection and common tools (breakpoints, memory dumps, De4dot, DnSpy/IlSpy) can recover the original strings. #De4dot #DnSpy

Keypoints

  • Implemented a basic .NET obfuscator that moves literal strings into separate proxy methods and replaces ldstr with calls to those methods using dnlib.
  • Applied character-level splitting to construct strings byte-by-byte on the evaluation stack, removing whole-string literals from the binary and complicating static string discovery.
  • Used numeric conversion (representing chars as numbers and Conv.U2) and heavy randomized math expressions to mask character values and defeat simple decompilation output.
  • Performed CFG obfuscation by splitting IL into basic blocks (based on stack empty points), shuffling them, and adding a dispatcher loop + switch driven by a marker variable to restore execution order.
  • Demonstrated practical bypasses: setting breakpoints to read return values, memory dumps (ProcessHacker) to locate strings, and automated deobfuscation with De4dot (emulation mode) and IL decompilers (DnSpy/IlSpy).
  • Concluded that simple obfuscation techniques raise analysis effort but can be undone; more advanced countermeasures are covered in the promised follow-up.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information โ€“ Use of string obfuscation and CFG obfuscation to hinder static analysis. ‘proxy functions: put each static string in its own function with crazy name; character breakdown: divide strings into individual characters; numeric conversion: replace characters with their numeric values; heavy math: use many math operations with large numbers; CFG obfuscation: make the control flow complex and hard to follow.’

Indicators of Compromise

  • [File names] Obfuscated samples and examples โ€“ Example1, Example1_obf.exe
  • [Tool binaries] Tools used in analysis/deobfuscation โ€“ de4dot.exe, dnSpy (and IlSpy, ProcessHacker)
  • [Domain] Source / article host โ€“ https://any.run/cybersecurity-blog/net-malware-obfuscators-analysis-part-one/

Read more: https://any.run/cybersecurity-blog/net-malware-obfuscators-analysis-part-one/