WebAssembly Diversification for Malware Evasion

Abstract

WebAssembly is a binary format that has become an essential component of the web nowadays. Providing a faster alternative to JavaScript in the browser, this new technology has been embraced from its early days to create cryptomalware. This has triggered a solid effort to propose defenses that can detect WebAssembly malware. Yet, no defensive work has assumed that attackers would use evasion techniques. In this paper, we study how to evade WebAssembly cryptomalware detectors. We propose a novel evasion technique based on a state-of-the-art WebAssembly binary diversifier. We use the worldwide authoritative VirusTotal as malware detector to evaluate our technique. Our results demonstrate that it is possible to automatically generate variants of WebAssembly cryptomalware, which evade the considered strong detector. Remarkably, the variants introduce limited performance overhead. Our experiments also provide novel insights about which WebAssembly code transformations are the best suited for malware evasion. This provides insights for the community to improve the state of the art of WebAssembly malware detection.