Hi Reverser,
Let’s do some stuff. Today I would like to share again about the malware evasion technique. Today, it is a bit different, where it is not about executable, but it is good to know about. I would like to share about javascript evasion technique using obfuscation to bypass some protection control
The researcher has developed many techniques, but I would like to share the basic one. This obfuscation is very effective in bypassing the protection control since it impacts the flow of the code
Logic Structure Obfuscation
This type of obfuscation technique manipulates the execution paths of JavaScript codes by changing the logic structure without affecting the original semantics.
There are two ways to implement logic structure obfuscation. The easiest one is to insert some instruction that is independent of the functionality. The other one is to add or change some conditional branches, such as if … else, switch…case, for, while.
- Conditional Branches
We can see the payload highlighted above is executed once during the code execution with a different logic flow. So the Antivirus need to anticipate both types of code which is very hard because there are unlimited ways to achieve the same objective
2. Independent Instruction
We insert some independent code that has nothing to do with the payload itself. The objective of executing the payload once during code execution is still the same
Manipulating the code logic structure to achieve the same payload execution effectively bypasses the antivirus engine. It gives shallow detection confidence to the protection to block the malware
