A security researcher known as “Seeker” has published an in-depth analysis of advanced obfuscation techniques employed by APT28, a threat actor known for sophisticated cyber espionage operations.
The report provides a comprehensive examination of a heavily obfuscated HTA Trojan used by APT28 in campaigns targeting diplomatic relations in Central Asia and Kazakhstan.
The malware sample, with MD5 hash d0c3b49e788600ff3967f784eb5de973, showcases multiple layers of obfuscation, making it particularly difficult to analyze.
Security analyst at Malware Analysis Space noted that the malware uses the VBE (VBScript Encoded) technique combined with custom obfuscation methods to evade detection and analysis.
Initial examination of the obfuscated code revealed distinctive patterns where “@#@” characters were used to split long strings, providing the first clue to the researcher.
Manually split with ‘@#@’ (Source – Malware Analysis Space)
Through manual splitting and careful debugging with x32dbg, the researcher was able to trace the deobfuscation process character by character.
The analysis revealed that the Trojan uses a custom map algorithm to decode the obfuscated strings.
Map algorithm (Source – Malware Analysis Space)
The algorithm operates within a specific address range from 6DB59CF0 to 6DB59FF0, as noted in Figure 9 of the report which illustrates the mapping process between obfuscated and deobfuscated strings.
Deobfuscation Process
The researcher discovered that the obfuscation technique leverages Windows vbscript.dll to generate the embedded strings used in the deobfuscation process.
This represents a sophisticated implementation of Microsoft’s Windows Script Encoder (screnc.exe) functionality, which is typically used to encode VBScript (.vbs) and JavaScript (.js) files.
Through methodical debugging, the researcher identified key indicators of VBE encoding, including the beginning flag “#@~” and the ending flag “#@~$”.
Using a Python script called “vbe-decoder.py” from GitHub, the researcher successfully deobfuscated the malware, revealing its actual functionality.
The deobfuscation process yielded several intermediary files with varying hash values, culminating in the final malware sample with MD5 hash 2505649df3f33cf3b65059d338e3dd6f.
Complete deobfuscated malware code (Source – Malware Analysis Space)
The analysis showcases APT28’s ongoing efforts to enhance their obfuscation techniques for cyber espionage campaigns.
The researcher warns that this evolution represents a significant threat to digital security and recommends heightened vigilance against such sophisticated attacks.
The report also includes comprehensive IOCs, including file hashes and network indicators, to help security professionals identify and mitigate this threat.
