In a blog post, Ned Andonov, a WordPress security expert at Wordfence, shares details about a simple but effective obfuscation technique, which due to its unique characteristics doesn’t carry any of the usual detectable patterns.
“The code abstraction looked almost perfect, each class method was well commented, the business logic looked reasonable, and the code was following the latest code quality standards,” writes Andonov.
In fact, Andonov admits that the malware-generating code was so well-written that it would take a seasoned security analyst to notice anything suspicious about it.
Malware in code
Breaking down the code, Andonov says that while many of the methods look legitimate, the first thing that struck him as odd were the $indicies variable.
“This function is actually using a standard for loop to generate commonly used suspicious functions while evading detection and is the most obviously obfuscated portion of the code,” writes Andonov.
And that’s not all. The code also extracts compressed malware from inside a PNG image.
Andonov opines that the malware is professionally written and contains “a collection of remote commands including code execution, updates, and files access.”
Analyzing the psychological underpinnings of the technique used by the attacker, he refers to the work of Nobel-winning psychiatrist Daniel Kahneman, to conclude that a routine gaze at the code wouldn’t trip the sensors of an inexperienced analyst who would have no reason to suspect that the code deserves a closer look.
“Analysts would also do well to keep their System 2 mind engaged, as Kahneman would put it, when analyzing suspected malware,” concludes Andonov.