Obfuscated Files or Information: Dynamic API Resolution

Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native API functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.

API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.[1][2]

To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to Software Packing, dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.

Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as GetProcAddress() and LoadLibrary(). These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of Deobfuscate/Decode Files or Information during execution).[3][4][1]

ID: T1027.007
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Windows
Version: 1.0
Created: 22 August 2022
Last Modified: 23 August 2022

Procedure Examples

ID Name Description
S1053 AvosLocker

AvosLocker has used obfuscated API calls that are retrieved by their checksums.[5]

S0534 Bazar

Bazar can hash then resolve API calls at runtime.[6][7]

S1063 Brute Ratel C4

Brute Ratel C4 can call and dynamically resolve hashed APIs.[8]

G0032 Lazarus Group

Lazarus Group has used a custom hashing method to resolve APIs used in shellcode.[9]

S0147 Pteranodon

Pteranodon can use a dynamic Windows hashing algorithm to map API components.[10]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0022 File File Metadata

Depending on the method used to obfuscate API function calls, a file-based signature may be capable of detecting dynamical resolution.[1][3][11]

DS0011 Module Module Load

Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated API function calls. Dynamic malware analysis may also expose signs of function obfuscation, such as memory reads that correspond to addresses of API function code within modules.[3]

DS0009 Process OS API Execution

Monitor and analyze calls to functions such as GetProcAddress() and LoadLibrary() that are associated with dynamically loading API functions.[1]

References