Bypassing Array Canaries via Autonomous Function Call Resolution

TL;DR

This paper introduces AFCR, a novel method to bypass Array Canaries in JavaScript, and presents Arphsy, a tool that aids in deobfuscating canaried JavaScript code for security analysis.

Contribution

We developed AFCR to effectively bypass Array Canaries and created Arphsy, a proof-of-concept tool that automates deobfuscation of canaried JavaScript code.

Findings

AFCR successfully bypasses Array Canaries in tested scenarios.

Arphsy automates deobfuscation, aiding security research.

The approach enhances analysis of obfuscated JavaScript malware.

Abstract

We observed the Array Canary, a novel JavaScript anti-analysis technique currently exploited in-the-wild by the Phishing-as-a-Service framework Darcula. The Array Canary appears to be an advanced form of the array shuffling techniques employed by the Emotet JavaScript downloader. In practice, a series of Array Canaries are set within a string array and if modified will cause the program to endlessly loop. In this paper, we demonstrate how an Array Canary works and discuss Autonomous Function Call Resolution (AFCR), which is a method we created to bypass Array Canaries. We also introduce Arphsy, a proof-of-concept for AFCR designed to guide Large Language Models and security researchers in the deobfuscation of "canaried" JavaScript code. We accomplish this by (i) Finding and extracting all Immediately Invoked Function Expressions from a canaried file, (ii) parsing the file's Abstract Syntax Tree for any function that does not implement imported function calls, (iii) identifying the most reassigned variable and its corresponding function body, (iv) calculating the length of the largest string array and uses it to determine the offset values within the canaried file, (v) aggregating all the previously identified functions into a single file, and (vi) appending driver code into the verified file and using it to deobfuscate the canaried file.