Posted on

Nim Malware and AV Evasion

Hello aspiring ethical hackers. In this article, you will learn about Nim malware and how hackers are using it to bypass Antivirus solutions.

“Cyber Security researchers at ProofPoint were tracking a hacking operation they named as TA800. TA800 had a common mode of operation. They send personalized phishing emails containing a link to a supposed PDF document. Users who visited that link, downloaded malware with a fake PDF icon. This Malware is a loader which once opened provides attackers control of victim’s Windows Systems. These hackers have been using a loader named Baz Loader since 2020. However, researchers noticed a new loader being used by these hackers on February 3, 2021. This loader which researchers named as Nimza Loader was built in Nim programming language.”

Nim is a programming language designed and developed by Andreas Rumpf. Originally named as nimrod (it was renamed Nim in 2008), Nim was created to be a language as fast as C, as expressive as Python and as extensible as Lisp.

Often, the most common programming languages used to make malware are C, C++, Java and Visual Basic. But Malware authors often use a new programming language to beat Anti-Malware. Python Inspired syntax and a feature to compile directly to C , C++ etc makes Nim easy to use for developers and malware authors alike. It also has cross platform support. By writing malware in Nim, hackers can make it difficult for Anti-Malware to be able to detect their payloads since they have no updated detection systems for these new programming languages.

In this tutorial readers will learn the process of creating Nim malware and test this malware to see if Anti Malware can detect these payloads or not. Unlike other popular programming languages, Nim is not installed by default in Kali Linux. It can be installed using the apt package manager as shown below.

sudo apt install nim

Nim is successfully installed. Just like any other programming language, Nim needs a compiler. Although it is compatible with many compilers, let’s install mingw-64 compiler as shown below.

sudo apt-get install mingw-w64

As Nim is installed, nimble will be available on the Kali Linux system. Nimble is the package manager of Nim language. To create malware using Nim we need some more libraries. Important among them is the Winim library, which contains Windows api, struct and constant definitions for Nim. This is important while creating Windows based malware. Zippy is used for compressing and decompressing payloads. Nimcrypto is Nim’s cryptographic library used to perform several cryptographic functions.

nimble install winim zippy nimcrypto

Since all the necessary libraries are installed, it’s time to create a payload using Nim. A Github repository named Offensive Nim has many Nim payloads. We will download one Nim payload from there and compile it. We download the keylogger.nim payload from the Git repository and use the syntax below to compile it.

The “-c” option specifies compiling the “-d” option is used to specify compiler. The “—app” option is used to specify the type of app to create. We can create four types of applications here: console, GUI, lib and staticlib. We will create a console app here. The “—cpu” option is used to specify the target processor. Since our target is a Windows system, we are specifying i386 option which can run on both 64bit and 32bit systems.

nim c -d=mingw –app=console –cpu=i386 <path to Nim payload>

This will create a Windows executable file with the same name as the .nim file. The payload is ready. Now lets test it. We copy it to the target system (Windows 7) running a third party Antivirus. As you can see, all the protection shields are active and the AV is updated.

As the payload is successfully copied to the target system, the Antivirus failed to detect it.

nim malware

Let’s try executing our payload and see the response of the Anti Virus. Even as our payload is running, the Antivirus failed to detect it.

This is good. But let’s try something meaningful. Let’s try to get a reverse shell on the target system. We downloaded a simple Nim reverse shell from here.

We change its LHOST and LPORT values and compile it in the same manner as above.

We start a Netcat listener on the Attacker system and execute the reverse shell payload on the target system.

As readers can see, we got a successful reverse shell connection and the Antivirus didn’t even blink.

Posted on

Process Ghosting Explained

Hello aspiring ethical hackers. In this article, you will learn about Process Ghosting, a technique used by hackers to bypass AV/EDR. As soon as an executable file lands on a Windows system, the endpoint Anti Malware opens the file for analysis. After the analysis is complete, the executable starts a process. The Anti Malware routinely detects malicious executables in this manner.

However, there is a small gap of time between the executable launching and the starting of a process. What if the executable is in delete pending state during this time gap? The Anti Malware cannot scan it as the file is in delete-pending state and its later attempts to scan it also fail as the file is already deleted. However, the malicious payload gets executed without being detected. Process Ghosting is a technique used by hackers when creating malware for Windows Operating Systems to avoid detection by Antivirus software including the Windows Defender. This technique takes advantage of a gap between process creation and when Antivirus software is notified of the process creation. This gap allows the malware developers a chance to alter the executable before it is scanned by the antivirus software.
Process Ghosting is built on three major techniques (used to evade Antivirus software detection) used by malware developers; They are,

1. Process Herpaderping

In Process herpaderping, an existing file handle is used in order to overwrite executable with decoy PE. Hence it leaves a camouflaged malware on the disk which is different from the actual process which is running.

2. Process Re-Imaging

Process Re-imaging takes advantage of a cache synchronization problem found in the Windows OS kernel. It causes a mismatch between executable file’s path and the reported path for image sections created from the executable. It loads a DLL at a camouflaged malware path, unloads it and then loads it from a new path.

2. Process Doppel-ganging

In this antivirus detection evasion technique, a malware takes advantage of the Windows Transactional NTFS mechanism. The mechanism allows applications to carry file system operations as a single transaction which if rolled back is not visible to the underlying file system.

Now, let us see step by step how to perform process ghosting. In this tutorial, we will use Process Ghosting to make the executable file of mimikatz undetectable by AV /EDR. Mimikatz can be downloaded from here. To perform process ghosting, we will use a tool called KingHamlet tool designed by IkerSaint. It can be downloaded from here.

This is how the process of process ghosting works with any tool.

1. Download the executable file. In this case, mimikatz.exe.
2. Put file to a delete-pending state using NtSetInformationFile(FileDispositionInformation).
3. Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.
4. Create an image section for the file.
5. Close the delete-pending handle, deleting the file.
6. Create a process using the image section.
7. Assign process arguments and environment variables.
8. Create a thread to execute in the process.

As you all know, mimikatz is easily detected by Windows Defender as malware. Let’s see the above steps practically. We fire up the King Hamlet tool in Windows to encrypt the executable file. We use the below commands.

kinghamlet.exe <payload.exe> <encryption key>

This will create the encrypted payload named mimikatz.exe.khe as show below.

Then we run another command to run the encrypted payload as a legitimate process.

kinghamlet.exe <encrypted.exe.khe> <encrypt key> <targetfile.exe>

This is to make sure the process runs as a legitimate executable.

This will run mimikatz.exe on the system as shown below.

process ghosting

Now, open Task Manager and see what process is running with ID 336.

In this case, we ran mimikatz.exe as Bandicam.exe. So our payload decoys itself as a Windows Problem Reporting process which is a Windows core process in the Windows Operating System. When we run the encrypted executable using King Hamlet tool, the Windows Defender detects no current malicious activity as shown below.

Posted on

AntiVirus Evasion With Exocet

Hello aspiring Ethical Hackers. In this article, you will learn about AntiVirus Evasion with the help of a tool named Exocet. Exocet is a Crypter type malware dropper. A Crypter is a software that is used to make malware undetectable. It performs functions such as encrypting, obfuscating and manipulating the code of the malware to make it undetectable.

EXOCET is one such Crypter-type malware dropper that can be used to recycle easily detectable malware payloads. EXOCET achieves this by encrypting those malware files using AES-GCM (Galois/Counter Mode) and then create a dropper file for a majority of target architectures and platforms.

Written in Golang programming language, the steps involved in making malware undetectable by EXOCET are,

  1. It first takes malware that is easily detectable by Anti Virus engines as input.
  2. It then encrypts this easily detectable malware and produces it’s own Go file.
  3. This Go file can be cross-compiled to 99% of known architectures like Linux, Windows, Macs, Unix, Android and IPhone etc.
  4. Upon execution, the encrypted payload is written to the disk and immediately executed on the command line.

Let’s see how it works. First, we need to install Golang on Kali as Exocet is a Go program.

Once Golang is successfully installed, clone the repository of Exocet. It can be downloaded from here.

We need to install the EXOCET source files in golang. We can do this using the command shown below.

Exocet is successfully installed. Now, let’s test it. We create a reverse shell payload with Msfvenom first.

We copy this payload to our target system which is Windows 10. The Windows Defender easily detects it (obviously) and classifies it as malware.

This is expected. Next, We copy this easily detectable payload to the directory of Exocet.

Then we run the following command using Exocet. This will create a new golang file called outputmalware.go.

Then we run the following command to create a Windows 64 bit payload.

av evasion

Our result is the exocet_payload.exe. We start a Metasploit listener on the attacker system and copy the Exocet payload to the target.

This time the payload goes undetected as shown below.

This is how we perform AntiVirus Evasion with Exocet Tool.

Posted on

Bypass Antivirus with AV | ATOR

Hello aspiring Ethical Hackers. In this article you will see how to bypass Antivirus with AV | ATOR. AV | Ator is a backdoor generator utility that uses cryptographic and injection techniques to bypass AV detection. The AV in AV | Ator stands for Anti Virus. Ator is character from the Italian Film Series “Ator” who is a swordsman, alchemist, scientist, magician, scholar and engineer with the ability to sometimes produce objects out of thin air.

ATOR takes C# shellcode as input, encrypts it with AES encryption and generates an executable file. ATOR uses various methods to bypass Anti Virus. Some of them are,

Portable executable injection : In portable executable injection, malicious code is written directly into a process (without a file on disk). Then, this code is executed by either invoking additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references.

Reflective DLL Injection : DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library. This will overcome the address relocation issue.

Thread Execution Hijacking : Thread execution hijacking is a process in which malicious code is injected into a thread of a process.

ATOR also has RTLO option that spoofs an executable file to look like having an “innocent” extension like ‘pdf’, ‘txt’ etc. E.g. the file “testcod.exe” will be interpreted as “tesexe.doc” and of course we can set a custom icon. ATOR can be run on both Windows and Linux. We need Mono to run ATOR on Linux.

Let’s see how to install ATOR in Kali Linux. Clone the ATOR repository from Github as shown below.

Then unzip the zip archive.

Then, Install Mono as shown below.

After moving into the extracted directory, there will be an AVIATOR executable. We just need to run it with Mono.

If you want to run ATOR in Windows, you can just download the compiled binaries from Github . When you run the executable, the ATOR GUI opens.

bypass antivirus with AV | ATOR

Let’s see all the options in detail.
1. It contains the encryption key that is used to encrypt the shellcode. Keep it default if you want.
2. It contains the IV used for AES encryption. Keep it default too.
3. Shellcode in C# format.
4. It will show the encrypted payload.
5. The location to which the generated executable is to be saved.
6. Various Injection techniques.
7. Set a Custom Icon to the executable.

Let’s create the shellcode using msfvenom.

Copy the shellcode generated above and paste it in the payload column. Click on “Encrypt” to see the encrypted payload in (4). Click on (7) to set a custom icon (we are using pdf icon). Select the path of the executable (5) and select the injection technique (6) and click on “Generate EXE” button. Here’s the payload.

Before executing it on the target, start a listener on the attacker machine.

As soon the payload is executed on the target, we will have a shell as shown below.

See how to bypass antivirus with

Posted on

Beginners guide to Veil framework

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about some Antivirus bypass techniques used by hackers to keep their payloads undetected. In this blogpost, you will learn about Veil Framework, a tool to generate Metasploit payloads that can bypass common anti-virus solutions.

Veil framework is officially supported by Debian 8 and Kali Linux rolling 2018+. It may also be run on Arch Linux, Manjaro Linux, Black Arch Linux, Deepin 15+, Elementary, Fedora 22+, Linux Mint, Parrot Security, Ubuntu 15.10+ and Void Linux.

For this tutorial, we will be using Kali Linux. Veil framework can be installed either directly or can be downloaded from Github. Veil can be installed on Kali using apt as shown below.

This simple command will install all the dependencies and software Veil requires like Wine etc.

After successful installation, Veil can be started using the command shown below.

As you can see, Veil has two tools installed: Evasion and Ordnance. Let’s focus on the evasion part for this article. We can use the command shown below to the evasion tool.

As you can see, Veil is saying that 41 payloads have been loaded and it is displaying the commands available in Veil Evasion menu. To see all the payloads veil can create, use command “list” as shown below.

You can select the payload you want to create as shown below. For example, here I want to create powershell/meterpreter/rev_tcp.py payload. So, I use its number as shown below.

Along with payload information, the options required for this payload are also displayed along with the available commands.

The required options can be set just like Metasploit. For example, set lhost using command

Set lhost <attacker ip>

After all the options are set, we can create the payload using “generate” command.

You will be prompted to give a name to your output payload. Click Enter to continue. The payload is successfully created as shown below.