Just after we published a blog about a 64-bit obfuscator, we very quickly discovered another malware family following the same trend. Claretore is also using two-layer 64-bit obfuscation, although it does it a little differently to Ursnif.

The first layer simply decrypts the code of the second layer and passes it control. There's even a 64-bit anti-emulation trick used in the first layer.

The code snippet is depicted in Figure 1. It calls API GetBkColor() with a bogus parameter (0x3c2c3f2 as hdc in this case) and then it checks whether register r9b (the lowest byte of register r9) has the lowest 2 bits set after this API call.

Figure 1: Code snippet of the 1st layer

Note: On a 64-bit architecture, r9 may be used to pass the fourth integer parameter to a function.

On 64-bit versions of Windows 7, register r9 is used to store the return value temporarily as a side effect in this API. See Figure 2 below.

Figure 2:  Code snippet from GetBkColor()

The second layer decrypts and loads a 64-bit PE file in memory. The loaded 64-bit PE file is detected as Trojan:Win64/Claretore.A.

So, when thinking back to Ursnif - we have two families aiming to accomplish the same goal - i.e. avoiding detection and removal and getting the opportunity to perform their payload - but going about it in quite a different way. This is just another example to illustrate how malware authors are now specifically targeting 64-bit systems with their obfuscation.
 
Chun Feng
MMPC Melbourne