2025-06-28 –, Grand Salon
One of the most challenging aspects of adversary emulation is replicating the custom implants used by threat actors. To accurately assess security measures, emulated implants must not only mimic functionalities and quirks but also reproduce the obfuscation techniques of the original malware. This talk presents our re-implementation of APT41’s Scatterbrain obfuscator, including instruction dispatchers that disrupt control flow and import protection mechanisms leveraging Linear Congruential Generator (LCG)-based encryption.
To validate our approach, we tested our sample against Mandiant’s deobfuscation tool for the original Scatterbrain. The results demonstrated that our re-implementation could be correctly deobfuscated, confirming its accuracy. However, we took this a step further—by slightly modifying the obfuscation, we successfully broke the deobfuscator’s heuristics, creating a variant that required new tools to analyze while still maintaining strong structural similarity to the original.
Validating an organization’s defenses increasingly involves adversary emulation—replicating attacker behavior to learn from past and present threats. In this context, malware emulation remains a significant challenge, as achieving true realism requires mimicking not just functionality but also quirks and network protocols. It’s not just about triggering alerts; it’s about assessing how defenses and analysts react to a near-perfect replica. This level of accuracy is what distinguishes effective emulation from mere simulation. But what happens when the malware being emulated is heavily obfuscated and belongs to an APT?
Obfuscation is a core technique used by malware to conceal its true intentions, forcing analysts and defenders to navigate through complex layers before uncovering its real behavior. Despite its critical role, this aspect is often overlooked, primarily due to the difficulty of accessing the original obfuscation methods. However, studying and replicating these techniques can provide invaluable insights for both offensive and defensive security.
Our emulation of APT41's Scatterbrain - an implant recently analyzed by Mandiant and equipped with significant obfuscation - successfully replicates several key techniques:
- The instruction dispatcher segments executable code into disjointed basic blocks, each ending with a uniquely crafted dispatcher routine that decodes adjacent 32-bit offsets through varying sequences of arithmetic and bitwise operations. The calculated offsets determine subsequent execution addresses, disrupting control flow reconstruction by conventional binary analysis frameworks.
- The import protection layer hides binary dependencies through dedicated stub dispatchers. Each import is transformed into a unique structure referencing its encrypted DLL and API values. Every stub triggers a resolver routine that dynamically decrypts the necessary import data using a pseudo-random generation algorithm with sample-specific encryption keys. Although the original malware likely employs proprietary obfuscation frameworks, we developed an LLVM-based solution using custom compiler passes that transform code at the IR level.
To ensure the accuracy of our re-implementation, we tested our generated sample against Mandiant’s publicly available deobfuscator for the original Scatterbrain implant. The results confirmed that our sample could be correctly deobfuscated using the tool, proving that we had accurately replicated Scatterbrain’s obfuscation techniques.
The talk will describe the challenges that we faced during the implementation, explaining why IR modifications alone were not sufficient to reproduce the original obfuscator. In the final part, we will detail how we broke the heuristics of the deobfuscator—modifying our obfuscator just enough to evade detection while remaining structurally and behaviorally close to the original implementation. This demonstrates how small modifications can render standard analysis tools ineffective, underscoring the challenges defenders face when dealing with well-crafted obfuscation techniques.
To increase the fun, we will do a couple of demos agaist the deobfuscator to show live our results.
This level of accuracy extends beyond traditional adversary emulation and approaches the complexity of False Flag operations.
As Co-Founder of RETooling, Antonio Villani dedicates his full attention to developing red-team artifacts, including the adversary emulation library. His current work builds upon a career primarily spent on the blue-team side, where he specialized in reversing sophisticated implants and delivering crucial insights to cyber-defense and threat intelligence teams. Antonio now leverages this deep understanding to meticulously analyze complex implants, dissecting TTPs for high-quality reimplementation. He also actively contributes to the cybersecurity community by instructing on advanced malware development (MalOpSec classes) at top security conferences. His academic background includes a PhD focused on malware research and digital forensics.
Giulio Barabino is a Master student in the Cloud & Cybersecurity curriculum at the University of Modena and Reggio Emilia, currently writing his thesis entitled 'LLVM powered Adversary Emulation'. He holds a bachelor degree from the same university.
Silvio La Porta is CEO and Co-Founder at RETooling defining and developing Threat Actor emulation platform enabling red team to recreate a realist attack scenario. Previously he was a Senior Cyber Security Architect designing security products and researching advanced detection technology for complex malware/APT. Silvio previously was a lead research scientist with EMC Research Europe based in the Centre of Excellence in Cork, Ireland. His primary research focus areas were real-time network monitoring and data analysis in smart grids to detect malware activity in SCADA systems and corporate networks. He was also leading Security Service Level Agreement (Sec-SLA) and end user security/privacy protected data store projects for hybrid Cloud environment. He is a frequent speaker in professional and industry conferences. Before joining EMC, Silvio worked as a Malware Reverse Engineer in Symantec’s Security Response team in Dublin, Ireland. Silvio holds a PhD in Computer Network Security from the University of Pisa, Italy.