Login

InstallCore Obfuscation Analysis

Author: Uriel Kosayev, Researcher @ Airo Labs

April 30th, 2019

In this blog post we present an obfuscation analysis for the latest variant of “InstallCore” PUP/PUA Adware that we encountered in the wild. The Adware acts as installer and deploys multiple apps in the user’s computer. In its latest version, the main Mach-O executable applies code obfuscation which makes it more difficult to identify and debug. We will investigate and explain how this obfuscation works.

A quick look at the installer:

Installcore installer

And how the “offers” of the installer looks like:

Installcore installer

Obfuscation analysis

When we load the main Mach-O executable of the app bundle in IDA disassembler, we can see that there are no proper instructions at the entry point (0x100001160) and that the opcodes looks obfuscated:

Obfuscation analysis

Therefore, we can understand that the code needs to be deobfuscated at runtime before it gets to the entry point and must have some deobfuscation functionality that we should find and investigate.

Note, that because the opcodes will be overwritten at runtime, we cannot use software breakpoints (int 3/cc opcode) to debug the program, consequently we will set a read/write hardware breakpoint at the entry point, execute and see where the program will break, we can assume that it will be at the place where the deobfuscation occurs:

deobfuscation

Here is our deobfuscation routine.

An additional way to find it, is to look at the executable segments:

Additional way

We can notice the “__violably” code segment which looks unusual and has a clean and understandable code:

We can see that it is at the same place where our hardware breakpoint took us earlier.
We can start to analyze this function by finding references to it, to see who calls this function (HeroineshipAflight) and what arguments it passes:

Here we can find the data structure that contains: the length of the data that needs to be deobfuscated (at offset 0), the deobfuscation key (at offset 0x10) and more:

After spending some time debugging this function we identified that the opcodes from the entry point deobfuscated in chunks of 0x1000 (4096) bytes and xored with 32 bytes key (shown above). Every deobfuscated chunk of code is saved to a temporary space and then copied (_memcpy) to the original entry point address (In this case our code length is 0x3D9B. There will be 4 chunks in total).

Furthermore, when we put a breakpoint at the end of this function and run the program, when it breaks we see that the code at the entry point is overwritten and looks like a proper code.

After some IDA code reanalyze, you can see the following understandable and readable code:

It’s important to mention that we analyzed several “InstallCore” samples, those variants with the obfuscation and they all contained the same deobfuscation algorithm and the routine is always at the fourth segment, but with a different name. Also, the “HeroineshipAflight” function name changes from sample to sample.

Conclusion

Unlike previous versions of “InstallCore”, the actor tries to improve its stealth level and employs multiple evasion techniques probably to evade detection by anti-malware solutions. Even though the obfuscation method is not sophisticated (xor with 32 bytes key), it can impact the detection and make the analysis more challenging. Another interesting aspect which we’ll perhaps mention in a future post is that on top of encrypting the main Mach-O file, the entire app bundle is also encrypted. This is certainly a level up in the actor’s activity.

IoC (Indicators of Compromise)

Samples:
90281ef6cf2ff1198429362870b942337b295063f3f3e4867e112a0dd27d982d
306ef01bff64022568f1772b52fafae6c0ee2db043c9a725d2f6b15b5e6cccc2
0db25212b7ef87b5b09368085351ebb29aed3aef9a9f796e0ab25f20995b366f

Virus Total:
https://www.virustotal.com/#/file/98ec3933e18f1a5b59fbfc1a8dd4184f72cd6e84e20a1aa1f438b0b04c5f83e4/detection

Subscribe to our blog

Get Airo

Try Airo AV and Airo Web Protection

Try Airo