LummaC2 (LUMMAC.V2) uses customized control flow indirection and dispatcher blocks to complicate binary analysis. Researchers developed symbolic backward slicing to remove the protection and recover the original control flow, enabling deobfuscation and improved detection. #LUMMAC.V2 #LummaC2 #DispatcherBlocks #BackwardSlicing #ObfuscatingCompiler
Keypoints
- The LummaC2 malware uses a control flow obfuscation technique to thwart binary analysis tools.
- Customized control flow indirection is introduced, complicating reverse engineering and detection efforts.
- The authors developed a method using symbolic backward slicing to recover the original control flow and deobfuscate the malware.
- Obfuscating compilers transform binaries to resist analysis, often mixing original and obfuscated code.
- Dispatcher blocks exist in two main types—unconditional and conditional—and can be memory-based, register-based, or mixed-order.
- Memory-based and mixed-order dispatcher layouts add complexity to the deobfuscation process and analysis.
MITRE Techniques
- [T1027] Obfuscated Files or Information – Malware employs obfuscation techniques to hide its true purpose and functionality. “Malware employs obfuscation techniques to hide its true purpose and functionality.”
- [T1055] Process Injection – Indirect jumps and dispatcher blocks may be used to manipulate the execution flow of injected processes. “Indirect jumps and dispatcher blocks may be used to manipulate the execution flow of injected processes.”
- [T1055] Code Injection – Malware may inject code into other processes to execute malicious payloads. “Malware may inject code into other processes to execute malicious payloads.”
Indicators of Compromise
- [MD5] Host-based IOCs – LummaC2 (LUMMAC.V2) samples: d01e27462252c573f66a14bb03c09dd2, 5099026603c86efbcf943449cd6df54a, and 205e45e123aea66d444feaba9a846748