Malware Analysis: KorPlug - Uncovering Tactics, Techniques, and Procedures, Exploring Control Flows, and Identifying Indicators of Compromise

The KorPlug malware, associated with the Chinese espionage group known as Mustang Panda (also known as Earth Preta), has been the subject of intense scrutiny in recent cybersecurity investigations. In this article, we delve into the intricate workings of this malware, shedding light on its unconventional loading methods, obfuscation techniques, and complex control flow graph (CFG).

The Structure and Execution of KorPlug

The final phase of our analysis reveals that the decrypted payload of KorPlug retains the standard structure of a DLL but executes via unconventional loading methods. The initial byte sequence of the payload contains redirection instructions that direct the execution flow directly to the initialization function, bypassing the usual procedures for loading Windows DLLs and the associated security mechanisms.

The initialize function called by the loader stage has an unusual structure in the control flow graph (CFG), a complexity attributed to the use of a customized variant of the LLVM compiler called O-LLVM. This complexity, coupled with obfuscation mechanisms such as control flow flattening, false branches, and instruction substitutions, makes reverse-engineering this function a challenging task.

The Core Logic and Execution Paths

The KorPlug malware's core logic is divided into recognizable blocks, which can be broadly categorized into simple MOV assignments and conditional (CMOVZ-controlled) types. The Dispatcher in the malware manipulates a status variable to resolve execution paths, demystifying the variable-controlled transitions for modular execution observed in the malware.

The pre-Dispatcher-Block is recognizable by numerous predecessors and a simple jump to the initial Dispatcher. Tail-Blocks in the malware are merely transition jumps and marked for removal.

Automating the Analysis Process

Using Python and the angr framework, an unraveling script was developed that automates block counting, cataloging status values, and patching binary files. This tool complements existing tools like MODeflattener, enabling broader application to O-LLVM-obfuscated threats through extendable implementations.

The Second Stage and the Sample's Unique Features

The second stage of the KorPlug malware is activated via a specific entry function. The sample uses a shellcode-like execution via the API call "EnumSystemGeoID". The Backbone-Blocks in the malware enforce variable checks via JMP, MOV, SUB, and JZ sequences.

Evaluations of open-source deobfuscators like MODeflattener showed clear limitations in this case, requiring tailored adaptations for effective analysis. The sample's unique features, such as the use of a specific entry function and the API call "EnumSystemGeoID", underscore the need for such adaptations.

In conclusion, the KorPlug malware presents a complex and intriguing challenge in the realm of cybersecurity. The methodology offered here provides a flexible framework that can be transferred to similar obfuscation schemes with adaptations, offering a valuable tool in the ongoing battle against cyber threats.