Researchers have provided information regarding specific obfuscation techniques that involve metaprogramming or template-based metaprogramming by studying the techniques used in the Bazar (BazarLoader) malware family.
What is metaprogramming?
In metaprogramming, programs are created to examine or generate new code at runtime. Template-based metaprogramming involves templates serving as models for the reuse of code.
Researchers found similar code patterns in BazarLoader and BazarBackdoor samples as is found when samples are built using ADVobfuscator, an obfuscation library based on C++11/14 and metaprogramming.
The ADVobfuscator library uses two header files MetaRandom.h and MetaString.h.
The first header facilitates the generation of a pseudo-random integer seed—during compile time—which is then used to generate a key.
The other header helps encrypt each string with a new algorithm and during the code compilation.
How malware actors abuse it?
Malware authors use the metaprogramming technique to obfuscate important data and ensure that certain elements, such as encryption keys and code patterns, are created uniquely with each compilation.
This makes analysis challenging and developing signatures for static detection harder because the encryption code always changes for each and every compiled sample.
The main components in metaprogramming used for obfuscation are templates and constexpr functions. Simply, the constexpr function’s return value is based on compile time.
The adoption of metaprogramming techniques in the Bazar malware family is concerning as the use of such techniques can allow attackers to avoid signature-based detection. However, a better understanding of these techniques may help malware reverse engineers create more efficient tools for analysis.