Researchers Uncover Infrastructure and TTPs Behind ALCATRAZ Malware

Elastic Security Labs has recently exposed a sophisticated new malware family dubbed DOUBLELOADER, observed in conjunction with the RHADAMANTHYS infostealer.

This discovery sheds light on the evolving tactics, techniques, and procedures (TTPs) of cybercriminals who leverage advanced obfuscation tools to hinder analysis.

Notably, DOUBLELOADER is protected by ALCATRAZ, an open-source obfuscator first released in 2023, originally rooted in the game hacking community but increasingly abused in e-crime and targeted intrusions.

This malware duo represents a growing challenge for security analysts, as obfuscation techniques significantly complicate the reverse-engineering process, extending the time required to analyze and mitigate threats.

DOUBLELOADER Malware Linked to ALCATRAZ

The DOUBLELOADER malware, identified through its self-described PDB path, exhibits malicious behavior by injecting unbacked code into explorer.exe using syscalls like NtOpenProcess and NtCreateThreadEx.

It collects host data, updates itself, and beacons to a hardcoded C2 IP address (185.147.125.81), highlighting its backdoor capabilities.

A distinct toolmark in DOUBLELOADER is the presence of a non-standard executable section named “.0Dev,” a signature of ALCATRAZ’s obfuscation.

ALCATRAZ employs a range of techniques including control flow flattening, instruction mutation, constant unfolding, LEA constant hiding, anti-disassembly tricks, and entrypoint obfuscation, all designed to frustrate static and dynamic analysis tools.

For instance, control flow flattening disrupts traditional program structure by introducing a dispatcher mechanism, while anti-disassembly techniques, such as inserting short jump instructions before specific bytes, break disassemblers and necessitate manual intervention or automated patching.

According to the Report, Elastic Security Labs has detailed these methods in their analysis, demonstrating how ALCATRAZ transforms binaries in a bin2bin workflow, allowing attackers to obfuscate compiled code without source-level modifications.

Advanced Obfuscation Tactics

To combat these challenges, the research team has developed and released IDA Python scripts to deobfuscate ALCATRAZ-protected binaries, alongside YARA rules to detect DOUBLELOADER activity.

Their approach includes pattern matching to reverse instruction mutations, emulation to recover unfolded constants, and plugins like D810 to unflatten control flows.

These tools and strategies are vital for organizations aiming to triage and analyze such threats effectively.

A practical example from the report illustrates the cleanup of a DOUBLELOADER function, where layered obfuscation was peeled back by addressing anti-disassembly jumps, restoring LEA-hidden strings, and refining decompilation, ultimately revealing the malware’s intent and functionality.

This meticulous process underscores the often-unseen effort in malware analysis, where significant time is spent dismantling obfuscation before core behaviors can be studied.

The emergence of ALCATRAZ in malware campaigns like DOUBLELOADER signals a troubling trend of accessible, powerful obfuscation tools being weaponized by threat actors.

With its origins in game hacking, ALCATRAZ’s adoption by e-crime groups and APTs emphasizes the need for advanced defensive techniques and collaborative tooling to stay ahead of adversaries.

Elastic Security Labs’ comprehensive breakdown of ALCATRAZ’s TTPs and the release of countermeasures mark a critical step in empowering the cybersecurity community to tackle these obfuscated threats head-on, reinforcing the importance of understanding and countering such sophisticated evasion tactics in today’s threat landscape.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!