Giulio Barabino
Giulio Barabino is a Master student in the Cloud & Cybersecurity curriculum at the University of Modena and Reggio Emilia, currently writing his thesis entitled 'LLVM powered Adversary Emulation'. He holds a bachelor degree from the same university.
Session
One of the most challenging aspects of adversary emulation is replicating the custom implants used by threat actors. To accurately assess security measures, emulated implants must not only mimic functionalities and quirks but also reproduce the obfuscation techniques of the original malware. This talk presents our re-implementation of APT41’s Scatterbrain obfuscator, including instruction dispatchers that disrupt control flow and import protection mechanisms leveraging Linear Congruential Generator (LCG)-based encryption.
To validate our approach, we tested our sample against Mandiant’s deobfuscation tool for the original Scatterbrain. The results demonstrated that our re-implementation could be correctly deobfuscated, confirming its accuracy. However, we took this a step further—by slightly modifying the obfuscation, we successfully broke the deobfuscator’s heuristics, creating a variant that required new tools to analyze while still maintaining strong structural similarity to the original.