Security News > 2022 > March > Experts Detail Virtual Machine Used by Wslink Malware Loader for Obfuscation

Cybersecurity researchers have shed more light on a malicious loader that runs as a server and executes received modules in memory, laying bare the structure of an "Advanced multi-layered virtual machine" used by the malware to fly under the radar.

Packed with a file compression utility named NsPack, Wslink makes use of what's called a process virtual machine, a mechanism to run an application in a platform-independent manner that abstracts the underlying hardware or operating system, as an obfuscation method but with a crucial difference.

"Virtual machines used as obfuscation engines [] are not intended to run cross-platform applications and they usually take machine code compiled or assembled for a known ISA , disassemble it, and translate that to their own virtual ISA," ESET malware analyst Vladislav Hr?ka said.

"The strength of this obfuscation technique resides in the fact that the ISA of the VM is unknown to any prospective reverse engineer - a thorough analysis of the VM, which can be very time-consuming, is required to understand the meaning of the virtual instructions and other structures of the VM.".

What's more, the virtualized Wslink malware package comes with a diverse arsenal of tactics to hamper reverse engineering, including junk code, encoding of virtual operands, merging of virtual instructions, and the use of a nested virtual machine.

"Obfuscation techniques are a kind of software protection intended to make code hard to understand and hence conceal its objectives; obfuscating virtual machine techniques have become widely misused for illicit purposes such as obfuscation of malware samples, since they hinder both analysis and detection," Hr?ka said.

News URL

https://thehackernews.com/2022/03/experts-detail-virtual-machine-used-by.html