Themida and VMProtect-Protected Malware Can Be Analyzed to Expose Its Crucial Information
DUBAI, DUBAI, UNITED ARAB EMIRATE , June 18, 2024 /EINPresswire.com/ -- ANY.RUN, a leading provider of cybersecurity solutions, published research on the use of popular code protectors, Themida and VMProtect, in malware and their effectiveness in concealing malicious functionality.
๐๐ก๐๐ฆ๐ข๐๐ ๐๐ง๐ ๐๐๐๐ซ๐จ๐ญ๐๐๐ญ ๐ข๐ง ๐๐๐ฅ๐ฐ๐๐ซ๐
Malware authors often employ protectors like Themida and VMProtect in an attempt to prevent analysts from reverse engineering malicious code.
These protectors allow malware developers to use sophisticated techniques to hide malicious functionality, including through code virtualization, obfuscation, anti-debugging, compression, and encryption.
๐๐ง๐๐ฅ๐ฒ๐ฌ๐ข๐ฌ ๐จ๐ ๐๐ซ๐จ๐ญ๐๐๐ญ๐๐ ๐๐๐ฅ๐ฐ๐๐ซ๐ ๐๐๐ฆ๐ฉ๐ฅ๐๐ฌ ๐๐ฒ ๐๐๐.๐๐๐ ๐ญ๐๐๐ฆ
The research team at ANY.RUN analyzed six samples from different malware families that use Themida and VMProtect. The analysts found that none of the samples used code virtualization, making the analysis process much simpler.
Only one sample had anti-debugging enabled, and the malware code itself was largely unprotected, except for the initial stages of compression and decryption. This enabled the team to extract crucial information from malware samplesโ code, including command-and-control (C2) addresses, important strings, etc.
๐๐ฆ๐ฉ๐ฅ๐ข๐๐๐ญ๐ข๐จ๐ง๐ฌ ๐๐จ๐ซ ๐๐ฒ๐๐๐ซ๐ฌ๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ ๐๐ซ๐จ๐๐๐ฌ๐ฌ๐ข๐จ๐ง๐๐ฅ๐ฌ
The research findings highlight a clear trend: most malware families overlook crucial features like virtualization, making reverse engineering significantly easier. In essence, these families use protectors as basic packers, providing minimal obstruction to analysis.
Learn more details about the research on ANY.RUNโs blog.
๐๐๐จ๐ฎ๐ญ ๐๐๐.๐๐๐
ANY.RUN's suite of cybersecurity products includes an interactive sandbox and a Threat Intelligence portal. Serving 400,000 professionals around the world, the sandbox offers a streamlined approach to analyzing malware families that target both Windows and Linux systems. Meanwhile, ANY.RUN's Threat Intelligence services, which include Lookup, Feeds, and YARA Search, enable users to quickly gather information about threats and respond to incidents with greater speed and precision.
Veronika Trifonova
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
X
YouTube
![](https://www.einnews.com/tracking/article.gif?aid=720923880§ion=einpresswire&a=TqL_ZFJGhMe4qYPi&i=UOheGKcqQmEr600i)