Unpacking of APT29 PolyglotDuke

MalBot · November 27, 2021, 9:01pm

Dynamically unpacking using x64-dbg

Introduction

In this blog, i will be uncovering up techniques that can be used for unpacking trojan “Polyglot Duke” developed by APT29 ( The Dukes / Cozy Bear) attributed as Russia’s Foreign Intelligence Service (SVR).

Information Gathering

Let first look up the file in the PE Studio. It’s 64-bit loader of PolyglotDuke.

Obtaining information on loader using PE Studio.

Setting up environment for Unpacking

Firstly uncheck the System Breakpoint from Setting by going into Options-> Preferences in x64-dbg.

Go to Break on: uncheck System Breakpoint.

Next thing that needs to be done is setting the breakpoints in the binary.

Open PolyglotDuke Loader from Disk.

look of x64-dbg when loader is loaded.

In the command palette, type “bp” { breakpoint API }.

Command palette at the bottom of x64-dbg.

In this case , it will be as

bp VirtualAlloc

bp VirtualProtect .

Breakpoints Window in x64-dbg.

Unpacking

Hit “Run” after setting breakpoints in binary.

Hitting “Run” Button on x64-dbg.

On running debugger, it hits at the first breakpoint “VirtualAlloc” as there is no presence of “MZ” header so soon after “”VirtualAlloc” is being hit , hit the

x64-dbg hits at the “VirtualAlloc”.

return button in debugger after following RAX register in hexdump.

Following RAX register in hexdump.

x64-dbg hitting at return of “VirtualAlloc”.

And as again when you hit the “Run” in debugger it hits “VirtualAlloc” for two more times & then it hits “VirtualProtect”.

x64-dbg hits at “VirtualProtect”.

Now, as if see in the bottom right of the debugger , you will see the presence of “MZ” header. Then following it in the hexdump. And as you clearly see the unpacked payload in the hexdump.