Following the Obfuscation Trail: Identifying and Exploiting Obfuscation Signatures in Malicious Code

In this paper, we delve into the intricate world of dynamic code generation in script languages. One way that malicious code authors can evade detection through static analysis is using obfuscation and relying on dynamic code generation to deobfuscate the code at runtime. These obfuscation techniques can be highly intricate, involving numerous recursive “ eval ” calls to ultimately reveal the payload, or requiring the deobfuscation of separately generated code segments. This complexity presents significant challenges for researchers studying such code and for tools attempting static analysis. However, the very effort invested by attackers in obfuscation and the structures they create and reuse across attacks can also serve as a distinctive signature of the attacker. In this paper, we propose leveraging the structure of these obfuscation mechanisms as a similarity metric for malicious software. Our proposed method focuses on extracting obfuscation strategies, which we evaluate using two extensive datasets comprising over 30,000 phishing kits. Within these datasets, we identified approximately 18,000 instances of dynamically generated code, resulting in only 569 unique signatures. One notable advantage of our method compared to the state-of-the-art approaches is that it can extract a partial signature even if the deobfuscation process remains incomplete. Other methods heavily rely on the payload, rendering them inconclusive when the payload cannot be extracted.