LummaC2: Obfuscation Through Indirect Control Flow

NetmanageIT OpenCTI - opencti.netmanageit.com

LummaC2: Obfuscation Through Indirect Control Flow



SUMMARY :

This analysis examines a control flow obfuscation technique used by recent LummaC2 stealer samples. The malware employs customized control flow indirection to manipulate execution, hindering reverse engineering and automated analysis. The obfuscation transforms functions into 'dispatcher blocks' that use encoded offsets and indirect jumps to obscure the original control flow. Three main dispatcher types are identified: register-based, memory-based, and mixed-order. The analysis also covers conditional dispatcher logic for loops and syscalls. To deobfuscate, the researchers developed an automated method using symbolic backward slicing to differentiate dispatcher instructions from original code and recover the true control flow. This allows rebuilding deobfuscated functions for analysis.

OPENCTI LABELS :

lummac2


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


LummaC2: Obfuscation Through Indirect Control Flow