Malware Analysis: Technical Insights into the Operational Strategies, Command Structures, and Indicators of Compromise of the KorPlug Virus

In a groundbreaking development, cybersecurity firm G BHackers has successfully deobfuscated the KorPlug malware, shedding light on its intricate second-stage payload and O-LLVM-based control flow obfuscation. The findings were detailed in their publication, "Unmasking KorPlug Malware."

The deobfuscation process revealed that the script replaces obfuscated jumps with direct or conditional instructions, fills with NOPs (No Operation) to maintain alignment, and removes unnecessary Dispatcher and Backbone elements. The analysis of the final phase shows that the decrypted payload retains the standard structure of a DLL (Dynamic Link Library), but its execution occurs via unconventional loading methods.

The function called by the loader stage presents an unusual structure in the control flow graph (CFG). The Dispatcher manipulates a status variable to resolve execution paths, while Backbone blocks enforce variable checks via JMP (Jump), MOV (Move), SUB (Subtract), and JZ (Jump if Zero) sequences.

The second stage binary file, with a size of 624.00 KB, is of type x86 PE (Executable and Linkable Format). The Pre-Dispatcher Block is characterized by numerous predecessors and a simple jump to the initial Dispatcher. Tail blocks are transition jumps marked for removal.

O-LLVM, a customized variant of the LLVM compiler, is responsible for the complexity of the control flow graph. It employs control flow flattening, fake branches, and instruction substitutions to hinder detection and analysis. Relevant blocks contain the core logic of the malware, divided into simple (fixed MOV assignments) and conditional (CMOVZ-controlled) types.

Evaluations of open-source deobfuscators like MODeflattener showed clear limitations in this case, requiring tailored adaptations for effective analysis. A deobfuscation script was developed using Python and the angr framework to automate block counting, cataloging status values, and patching binary files.

The second stage of the KorPlug malware is activated via a specific entry function. The SHA-256 Hash of the second stage binary file is .

This approach demystifies the behavior of KorPlug, such as variable-controlled transitions for modular execution. The methodology offers a flexible framework that can be adapted to similar obfuscation schemes. However, reversing the function remains challenging due to the obfuscation mechanisms.

This discovery by G BHackers provides valuable insights into the workings of the KorPlug malware and offers a foundation for future research in the field of cybersecurity.

Malware Analysis: Technical Insights into the Operational Strategies, Command Structures, and Indicators of Compromise of the KorPlug Virus