Table of Contents
Fetching ...

Bypassing Array Canaries via Autonomous Function Call Resolution

Nathaniel Oh, Paul Attie, Anas Obeidat

TL;DR

This work examines the Array Canary anti-analysis technique used by the Darcula Phishing-as-a-Service framework and proposes Autonomous Function Call Resolution (AFCR) as a method to bypass canaries. It introduces Arphsy, a proof-of-concept that uses staged AST-based analysis to extract IIFEs, filter and identify key functions, locate the most reassigned variable, and construct a harness that applies two hex offsets to deobfuscate canaried JavaScript. The approach shifts away from purely ML-based deobfuscation toward AST-centric and RegEx-assisted tooling, enabling safer, more reproducible deobfuscation of canaried code and deeper introspection for defenders. The authors discuss limitations, potential generalizations to other array-based obfuscation schemes, performance considerations, and the importance of open science to aid the cybersecurity community in countering Darcula and similar threats. Key insights include formalizing offset computation ($offset_2 = offset_1 + ext{length}( ext{largestStringArray})$) and leveraging IIFE-driven structure to guide deobfuscation within a controlled harness.$

Abstract

We observed the Array Canary, a novel JavaScript anti-analysis technique currently exploited in-the-wild by the Phishing-as-a-Service framework Darcula. The Array Canary appears to be an advanced form of the array shuffling techniques employed by the Emotet JavaScript downloader. In practice, a series of Array Canaries are set within a string array and if modified will cause the program to endlessly loop. In this paper, we demonstrate how an Array Canary works and discuss Autonomous Function Call Resolution (AFCR), which is a method we created to bypass Array Canaries. We also introduce Arphsy, a proof-of-concept for AFCR designed to guide Large Language Models and security researchers in the deobfuscation of "canaried" JavaScript code. We accomplish this by (i) Finding and extracting all Immediately Invoked Function Expressions from a canaried file, (ii) parsing the file's Abstract Syntax Tree for any function that does not implement imported function calls, (iii) identifying the most reassigned variable and its corresponding function body, (iv) calculating the length of the largest string array and uses it to determine the offset values within the canaried file, (v) aggregating all the previously identified functions into a single file, and (vi) appending driver code into the verified file and using it to deobfuscate the canaried file.

Bypassing Array Canaries via Autonomous Function Call Resolution

TL;DR

This work examines the Array Canary anti-analysis technique used by the Darcula Phishing-as-a-Service framework and proposes Autonomous Function Call Resolution (AFCR) as a method to bypass canaries. It introduces Arphsy, a proof-of-concept that uses staged AST-based analysis to extract IIFEs, filter and identify key functions, locate the most reassigned variable, and construct a harness that applies two hex offsets to deobfuscate canaried JavaScript. The approach shifts away from purely ML-based deobfuscation toward AST-centric and RegEx-assisted tooling, enabling safer, more reproducible deobfuscation of canaried code and deeper introspection for defenders. The authors discuss limitations, potential generalizations to other array-based obfuscation schemes, performance considerations, and the importance of open science to aid the cybersecurity community in countering Darcula and similar threats. Key insights include formalizing offset computation () and leveraging IIFE-driven structure to guide deobfuscation within a controlled harness.$

Abstract

We observed the Array Canary, a novel JavaScript anti-analysis technique currently exploited in-the-wild by the Phishing-as-a-Service framework Darcula. The Array Canary appears to be an advanced form of the array shuffling techniques employed by the Emotet JavaScript downloader. In practice, a series of Array Canaries are set within a string array and if modified will cause the program to endlessly loop. In this paper, we demonstrate how an Array Canary works and discuss Autonomous Function Call Resolution (AFCR), which is a method we created to bypass Array Canaries. We also introduce Arphsy, a proof-of-concept for AFCR designed to guide Large Language Models and security researchers in the deobfuscation of "canaried" JavaScript code. We accomplish this by (i) Finding and extracting all Immediately Invoked Function Expressions from a canaried file, (ii) parsing the file's Abstract Syntax Tree for any function that does not implement imported function calls, (iii) identifying the most reassigned variable and its corresponding function body, (iv) calculating the length of the largest string array and uses it to determine the offset values within the canaried file, (v) aggregating all the previously identified functions into a single file, and (vi) appending driver code into the verified file and using it to deobfuscate the canaried file.
Paper Structure (12 sections, 6 figures, 2 tables)

This paper contains 12 sections, 6 figures, 2 tables.

Figures (6)

  • Figure 1: Darcula's Fake Massachusetts Registry of Motor Vehicles Webpage
  • Figure 2: Invalid Unicode Encoding in Darcula WOFF Files
  • Figure 3: Darcula USPS Phishing Text
  • Figure 4: An Overview of Arphsy
  • Figure 5: Harness File Structure
  • ...and 1 more figures