3. Custom Encoding/Encryption
Sometimes, attackers use custom encoding/encryption schemes, which makes it difficult to identify the crypto (and the key), and it also makes reverse engineering harder. One of the custom encoding methods is to use a combination of encoding and encryption to obfuscate the data; an example of such a malware is Etumbot (https://www.arbornetworks.com/blog/asert/illuminating-the-etumbot-apt-backdoor/). The Etumbot malware sample, when executed, obtains the RC4
key from the C2 server; it then uses the obtained RC4
key to encrypt the system information (such as hostname, username, and IP address), and the encrypted content is further encoded using custom Base64
and exfiltrated to the C2. The C2 communication containing the obfuscated content is shown in the following screenshot. For reverse engineering details of this sample, refer to the Author's presentation and the video demo (https://cysinfo.com/12th-meetup-reversing-decrypting-malware-communications/):
To deobfuscate...