Analyzing the Unanalyzable: Multi-Layer Detection and Runtime Analysis for WebAssembly Malware

WebAssembly (WASM) has emerged as a universal execution substrate deployed across browsers, cloud functions, edge runtimes, and IoT devices. Its platform-independent bytecode format and sandboxed execution model, while designed for safety, have created a significant blind spot in modern security tooling existing malware analyzers are built for PE, ELF binaries and have no capability to parse, disassemble, or analyze WASM binaries.

Malware authors have begun exploiting this gap, embedding cryptominers, ransomware, droppers, and credential stealers in WASM modules that pass undetected through conventional security pipelines.

This analyzer has three independent and complementary analysis layers.

The static analysis engine implements a full WASM binary parser, disassembler, control flow graph builder with correct structured control flow resolution, intra-procedural taint analysis, entropy and cryptographic constant detection, and a rule engine with YARA like detection signatures covering 12 threat categories.

The dynamic analysis layer integrates Wasabi to perform instruction-level execution tracing, runtime call graph reconstruction, state machine extraction, and static-to-dynamic CFG divergence analysis.

The runtime monitoring layer uses bpftrace eBPF tracepoints to observe kernel-level behavior of WASM runtimes, detecting W+X memory mappings, credential exposure, and anomalous network connections without requiring modification of the runtime itself.