Elastic Security Labs discovered a new malware family named DOUBLELOADER, often seen with RHADAMANTHYS infostealer, employing the open-source obfuscator ALCATRAZ to evade analysis. The post details multiple obfuscation techniques used by ALCATRAZ and demonstrates methods and tools to deobfuscate and analyze such protected malware. #DOUBLELOADER #RHADAMANTHYS #ALCATRAZ
Keypoints
- DOUBLELOADER is a generic backdoor malware linked to RHADAMANTHYS infostealer that utilizes syscalls to inject code into explorer.exe and beacon to a hardcoded IP.
- ALCATRAZ is an open-source obfuscator released in 2023, originally from the game hacking community but now abused by cybercriminals and APT groups.
- ALCATRAZ uses advanced obfuscation techniques including control flow flattening, instruction mutation, constant unfolding, LEA constant hiding, anti-disassembly tricks, and entrypoint obfuscation.
- Entrypoint obfuscation manipulates the PE header fields to confuse analysts on the program’s true starting point.
- Anti-disassembly adds short jump instructions to disrupt disassemblers, which can be mitigated by patching the affected bytes to NOPs.
- Instruction mutation transforms simple instructions into semantically equivalent but complex sequences, requiring pattern matching and reassembly to decode.
- Control flow flattening restructures execution into dispatch loops, making static analysis difficult, but tools like the IDA D810 plugin can help recover original flow.
- Elastic Security Labs released IDA Python scripts and YARA rules to aid in identifying and deobfuscating ALCATRAZ-protected malware.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – DOUBLELOADER uses syscalls like NtCreateThreadEx to inject and execute code remotely within explorer.exe (‘…leverages syscalls such as NtOpenProcess, NtWriteVirtualMemory, NtCreateThreadEx launching unbacked code within the Windows desktop/file manager (explorer.exe)’).
- [T1027] Obfuscated Files or Information – Use of ALCATRAZ obfuscator applying control flow flattening, instruction mutation, constant unfolding, entrypoint obfuscation, and anti-disassembly tricks to hinder analysis (‘…obfuscation techniques employed by ALCATRAZ, including control flow flattening, instruction mutation, constant unfolding, LEA constant hiding, anti-disassembly tricks and entrypoint obfuscation’).
- [T1560] Archive Collected Data – The malware collects host information and communicates with a hardcoded IP for updates and beaconing (‘…the malware collects host information, requests an updated version of itself and starts beaconing to a hardcoded IP (185.147.125.81)’).
Indicators of Compromise
- [IP Address] Hardcoded beacon IP used by DOUBLELOADER – 185.147.125.81
- [File Hash] DOUBLELOADER sample – SHA256: 3050c464360ba7004d60f3ea7ebdf85d9a778d931fbf1041fa5867b930e1f7fd
- [File Name] Obfuscated sample naming convention – original filename appended with ‘(obf)’
Read more: https://www.elastic.co/security-labs/deobfuscating-alcatraz