Executable Code Virtualization
September 20, 2023 · View on GitHub
| ID | B0008 |
| Objective(s) | Anti-Behavioral Analysis, Anti-Static Analysis |
| Related ATT&CK Techniques | None |
| Anti-Analysis Type | Evasion |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 8 May 2023 |
Executable Code Virtualization
Code virtualization obfuscates code to hinder static analysis and reverse engineering of the binary, allowing successful masking of the code’s malicious behavior. Code virtualization selects specific parts of original executable code and transforms them “to bytecode in a new, custom virtual instruction set architecture (ISA)”[1]. As explained further in [1], “At execution time, the bytecode is emulated by an embedded virtual machine (or interpreter) on the real machine. The new ISA can be designed independently, and thus the bytecode and interpreter greatly differ from those in every protected instance. In this way, the program’s original code never reappears.”
While malicious actors can create a custom VM-based obfuscator as observed in Wslink [2], other options are available to them such as Themida, a commercial tool, and VMProtect, an open source tool.
Methods
| Name | ID | Description |
|---|---|---|
| Multiple VMs | B0008.001 | Multiple virtual machines with different architectures (CISC, RISC, etc.) can be used inside of a single executable in order to make reverse engineering even more difficult. |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| Locky Bart | 2017 | -- | Code virtualization is added to the Locky Bart binary using WPProtect. [3] |
References
[1] D. Xu, J. Ming, Y. Fu, and D. Wu, "Verifiable Approach to Partially-Virtualized Binary Code Simplification," in 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS ’18),Toronto, ON, Canada, pp. 442-458, [Online]. Available: https://doi.org/10.1145/3243734.3243827.
[2] V. Hrčka, "Under the hood of Wslink’s multilayered virtual machine," welivesecurity.com, 28 March 2022. [Online]. Available: https://www.welivesecurity.com/2022/03/28/under-hood-wslink-multilayered-virtual-machine.
[3] https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/