Under the Hood of Wslink Multilayered Virtual Machine

Dive into a 35-minute conference talk from Recon 2022 that explores the intricate workings of Wslink, a sophisticated loader associated with the Lazarus group. Uncover the advanced virtual machine obfuscator protecting Wslink samples and learn about the multiple layers of obfuscation techniques employed, including junk code insertion, virtual operand encoding, and nested VMs. Follow along as the speaker, Vladislav Hrčka, an experienced malware analyst from ESET, presents a semiautomatic approach to deobfuscating the VM's internals. Gain insights into the symbolic execution method used to extract virtual opcode semantics and understand how treating certain VM constructs as concrete values enables automatic handling of additional obfuscation techniques. Compare the deobfuscation results against non-obfuscated samples to validate the effectiveness of this approach in reverse engineering challenging malware.