Home / Companies / Crowdstrike / Blog / Post Details
Content Deep Dive

Ploutus ATM Malware Case Study: Automated Deobfuscation of a Strongly Obfuscated .NET Binary

Blog post from Crowdstrike

Post Details
Company
Date Published
Author
Ploutus
Word Count
4,448
Company Posts That Month
Language
English
Hacker News Points
-
Post removed?
No
Summary

The article delves into the challenges of analyzing Ploutus ATM malware, which targets ATMs for jackpotting attacks, using sophisticated obfuscation techniques implemented with the .NET framework. Ploutus employs commercial obfuscators like .NET Reactor to complicate the analysis by encrypting method bodies, utilizing control-flow obfuscation, and employing a technique called method body encryption to hinder decompilation efforts. This encryption is particularly challenging due to the use of runtime-generated keys and constants, making static analysis difficult without executing the malware. The article provides insights into the process of deobfuscating this type of malware, emphasizing the need for a strong understanding of .NET internals and the use of dynamic analysis tools such as dnSpy to extract necessary decryption keys and constants. Despite the obstacles presented by the obfuscation, it is possible to create a deobfuscator that can restore the original method bodies, allowing for a more thorough analysis of the malware's functionality.

Trends Found in this Post
Trend Post Mentions Total Month Mentions Posts Companies MoM
AI Agents 2 2,394 1,321 1 -
Zero Trust 1 1,843 1,331 3 +61333%
Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.