inline obfuscation in cashes - ties2/Red-Team GitHub Wiki

Bypassing antivirus software is a common objective for attackers in order to execute malicious code on a target system without being detected. One technique used to bypass antivirus software is inline obfuscation in caches. This technique involves manipulating the cache data of a program in order to hide the malicious code from antivirus software. This essay will explore the technique of inline obfuscation in caches and its effectiveness in bypassing antivirus software.

Overview of Inline Obfuscation in Caches Inline obfuscation in caches is a technique used by attackers to hide malicious code from antivirus software. The cache is a temporary storage area where frequently accessed data is stored for fast access. By manipulating the cache data of a program, attackers can hide the malicious code from antivirus software.

The technique involves adding junk code to the program to obfuscate the malicious code. This junk code does not affect the program’s functionality but is designed to confuse antivirus software. When the program is executed, the junk code is loaded into the cache along with the program code. This makes it difficult for antivirus software to detect the malicious code as it is hidden within the junk code.

Examples of Inline Obfuscation in Caches One example of inline obfuscation in caches is the technique used by the Hancitor malware. Hancitor is a Trojan that is typically delivered via a spam email attachment. Once installed on a target system, Hancitor downloads and installs additional malware, such as the Pony Trojan.

Hancitor uses a technique known as “cacher” to hide the Pony Trojan from antivirus software. The malware uses the cache data of legitimate programs on the target system to store the Pony Trojan. This makes it difficult for antivirus software to detect the malware as it is hidden within the cache data of a legitimate program.

Another example of inline obfuscation in caches is the technique used by the Emotet malware. Emotet is a Trojan that is typically delivered via spam email attachments or malicious links. Once installed on a target system, Emotet downloads and installs additional malware, such as the TrickBot Trojan.

Emotet uses a technique known as “cache stuffing” to hide the TrickBot Trojan from antivirus software. The malware fills the cache of a legitimate program on the target system with junk data and the TrickBot Trojan. When the program is executed, the junk data is loaded into the cache along with the program code. This makes it difficult for antivirus software to detect the TrickBot Trojan as it is hidden within the junk data.

Effectiveness of Inline Obfuscation in Caches Inline obfuscation in caches can be an effective technique for bypassing antivirus software. By hiding the malicious code within the cache data of a legitimate program, attackers can evade detection by antivirus software. However, this technique is not foolproof and can be detected by advanced antivirus software.

Antivirus software is becoming more sophisticated and can detect the use of inline obfuscation in caches. Some antivirus software uses behavioral analysis to detect the use of this technique by identifying suspicious cache activity. Antivirus software can also monitor the system’s cache activity to detect any unusual behavior.

Conclusion Inline obfuscation in caches is a technique used by attackers to bypass antivirus software. The technique involves adding junk code to a program to confuse antivirus software and hide the malicious code within the cache data of a legitimate program. This technique has been used by malware such as Hancitor and Emotet to evade detection by antivirus software. However, advanced antivirus software can detect the use of this technique by monitoring the system’s cache activity and identifying suspicious behavior. Therefore, while inline obfuscation in caches can be effective, it is not foolproof and should not be relied upon as the sole method of bypassing antivirus software.