Targeting Linux systems with sophisticated command-and-control (C2) encryption capabilities, a new SysUpdate malware variant has surfaced as a dangerous threat. When security teams found the suspicious Linux binary in a client's environment during a Digital Forensics and Incident Response (DFIR) engagement, they found the malware. Conventional analysis techniques are difficult to use because this packed ELF64 executable uses an unidentified obfuscated packer without a section header.

When run without specific arguments, the threat poses as a genuine system service and conducts reconnaissance by using the GNU/Linux ID command to obtain system information before establishing encrypted network communications across several protocols. LevelBlue analysts identified strong indicators linking the sample to a new version of SysUpdate after conducting dynamic analysis and examining endpoint detection metrics.

Through extensive reverse engineering efforts, the researchers were able to confirm this attribution with high confidence. The malware's C++ codebase encrypts its C2 traffic using intricate cryptographic operations, making network-based detection and traffic analysis extremely difficult. Without fully comprehending the underlying encryption algorithm, cybersecurity researchers created specialized tools to decrypt the malware's encrypted communications using the Unicorn Engine emulation framework.

The decryption tool was developed during an ongoing incident investigation, according to LevelBlue researchers, showcasing quick reaction times in practical situations. During runtime, the technical method extracted heap values, CPU register states, global data structures, and machine code bytes from the malware sample.

Generation of keys (Source: LevelBlue) Analysts were able to decrypt intercepted C2 traffic and reveal the plaintext communications by mimicking the malware's key generation and encryption processes. Key data that has been encrypted (Source: LevelBlue) The approach uses Rust-based Unicorn Engine bindings to simulate x86-64 assembly code without fully reverse engineering the intricate cryptographic implementation, Binary Ninja for static analysis, and GDB for dynamic debugging. Methodology and Development of Decryption Tools Utilizing CPU emulation, the decryption solution turns the malware's inherent cryptographic capabilities against it.

Researchers developed two distinct emulators that operate in tandem: one for decryption that uses XOR operations in conjunction with an unidentified encryption algorithm to process 8-byte data blocks, and another for key generation that processes the hardcoded plaintext encryption key that was taken from the malware's heap memory.

Layer of emulation (Source: LevelBlue) Stack addresses, heap structures, data segments containing cryptographic constants, and code segments containing the encryption routines are all precisely replicated in the emulation environment from the malware's process space. By merely extracting the new encryption key from subsequent variants, security teams can use this method to decrypt C2 traffic from any sample in this malware family. Endpoint detection solutions that can keep an eye out for packed ELF executables with questionable system service behavior should be implemented by organizations.

Even if decryption is not possible right away, security teams should use network traffic analysis to find encrypted communications patterns. Rapid malware emulation and reverse engineering capabilities should be part of incident response protocols in order to create unique decryption tools while investigations are ongoing.

Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.