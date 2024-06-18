DUBAI, DUBAI, UNITED ARAB EMIRATE , June 18, 2024 /EINPresswire.com/ -- ANY.RUN, a leading provider of cybersecurity solutions, published research on the use of popular code protectors, Themida and VMProtect, in malware and their effectiveness in concealing malicious functionality.

𝐓𝐡𝐞𝐦𝐢𝐝𝐚 𝐚𝐧𝐝 𝐕𝐌𝐏𝐫𝐨𝐭𝐞𝐜𝐭 𝐢𝐧 𝐌𝐚𝐥𝐰𝐚𝐫𝐞

Malware authors often employ protectors like Themida and VMProtect in an attempt to prevent analysts from reverse engineering malicious code.

These protectors allow malware developers to use sophisticated techniques to hide malicious functionality, including through code virtualization, obfuscation, anti-debugging, compression, and encryption.

𝐀𝐧𝐚𝐥𝐲𝐬𝐢𝐬 𝐨𝐟 𝐏𝐫𝐨𝐭𝐞𝐜𝐭𝐞𝐝 𝐌𝐚𝐥𝐰𝐚𝐫𝐞 𝐒𝐚𝐦𝐩𝐥𝐞𝐬 𝐛𝐲 𝐀𝐍𝐘.𝐑𝐔𝐍 𝐭𝐞𝐚𝐦

The research team at ANY.RUN analyzed six samples from different malware families that use Themida and VMProtect. The analysts found that none of the samples used code virtualization, making the analysis process much simpler.

Only one sample had anti-debugging enabled, and the malware code itself was largely unprotected, except for the initial stages of compression and decryption. This enabled the team to extract crucial information from malware samples’ code, including command-and-control (C2) addresses, important strings, etc.

𝐈𝐦𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 𝐟𝐨𝐫 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐏𝐫𝐨𝐟𝐞𝐬𝐬𝐢𝐨𝐧𝐚𝐥𝐬

The research findings highlight a clear trend: most malware families overlook crucial features like virtualization, making reverse engineering significantly easier. In essence, these families use protectors as basic packers, providing minimal obstruction to analysis.

Learn more details about the research on ANY.RUN’s blog.

𝐀𝐛𝐨𝐮𝐭 𝐀𝐍𝐘.𝐑𝐔𝐍

ANY.RUN's suite of cybersecurity products includes an interactive sandbox and a Threat Intelligence portal. Serving 400,000 professionals around the world, the sandbox offers a streamlined approach to analyzing malware families that target both Windows and Linux systems. Meanwhile, ANY.RUN's Threat Intelligence services, which include Lookup, Feeds, and YARA Search, enable users to quickly gather information about threats and respond to incidents with greater speed and precision.