Just after we published a blog about a 64-bit obfuscator, we very quickly discovered another malware family following the same trend. Claretore is also using two-layer 64-bit obfuscation, although it does it a little differently to Ursnif.
The first layer simply decrypts the code of the second layer and passes it control. There’s even a 64-bit anti-emulation trick used in the first layer.
The code snippet is depicted in Figure 1. It calls API GetBkColor() with a bogus parameter (0x3c2c3f2 as hdc in this case) and then it checks whether register r9b (the lowest byte of register r9) has the lowest 2 bits set after this API call.
Figure 1: Code snippet of the 1st layer
Note: On a 64-bit architecture, r9 may be used to pass the fourth integer parameter to a function.
On 64-bit versions of Windows 7, register r9 is used to store the return value temporarily as a side effect in this API. See Figure 2 below.
Figure 2: Code snippet from GetBkColor()
The second layer decrypts and loads a 64-bit PE file in memory. The loaded 64-bit PE file is detected as Trojan:Win64/Claretore.A.
So, when thinking back to Ursnif – we have two families aiming to accomplish the same goal – i.e. avoiding detection and removal and getting the opportunity to perform their payload – but going about it in quite a different way. This is just another example to illustrate how malware authors are now specifically targeting 64-bit systems with their obfuscation.