Sean Wilson

Exploring the Impact of Dual-Use Obfuscation Libraries on Threat Intelligence

Code similarity analysis is a fundamental and widely used technique for identifying and attributing malware at the binary level. However, the rising prevalence of open source code obfuscation libraries and their adoption by malware developers impose challenges that must be addressed to maintain the reliability and accuracy of this technique and its associated tools.

In 2022, the leaked Conti ransomware developer chat logs and subsequent leak of the Conti source code, confirmed the use of both an open source string protection library (ADVObfuscator) and an open source code obfuscation library (Obfuscator-LLVM). While these obfuscation libraries had been employed in malware previously, the exposed Conti development process emerged as a defining moment in the malware development ecosystem. Subsequently, the use of open source obfuscation libraries has grown with ADVObfuscator and Obfuscator-LLVM becoming common in ransomware code, and the adoption of lesser known obfuscation projects such as xorstr introducing significant challenges when using code similarity analysis tools.

Our research examines the impact of these obfuscation libraries on popular analysis tools (e.g., Lumina, Bindiff, and Binlex) and the resulting challenges faced by the threat intelligence processes that employ them. To address these challenges, we propose the use of ground truth binaries, which can fine-tune existing tools and processes. Using real world case-studies we will work through the challenges posed by these obfuscation libraries and describe how our solution may mitigates the encountered issues.

Sean, a co-founder of OpenAnalysis Inc., splits his time between reverse engineering, tracking malware and building automated malware analysis systems. Sean brings over a decade of experience working in a number of incident response, malware analysis and reverse engineering roles.