Scribd
Upload
3 views

Bypassing_AV_EDR_part-2_118

Uploaded by

madou diop
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3 views

Bypassing_AV_EDR_part-2_118

Uploaded by

madou diop
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

55

Then you will


know the
truth and
the truth will set you
free.

John 8:32
3

Information provided in this Magazine is


strictly for educational purpose only.
Please don't misuse this knowledge
to hack into devices or networks without
taking permission. The Magazine will not
take any responsibility for misuse of this
information.
4
Part 2: Obfuscation
BYPASSING ANTIVIRUS / EDR
January 19 2024. In Part 1 of Bypassing AV/EDR ebook, you learnt encryption can be used to ma-
ke payloads FUD (Fully UnDectectable). In this Part 2, you will learn how obfuscation can be use-
d make payloads FUD. But first things first.
What is Obfuscation?
What is obfuscation and how is it different from encryption. Well, encryption converts the code of
the payload into something very difficult to understand while obfuscation makes the code seem
what is the exact word, obfuscation.
In obfuscation, we just hide the purpose of the code without changing the code itself. I myself
am not satisfied with this definition but the best way to understand it would be practically (just like
everything in Hackercool Magazine).
For this, I will use the same Hackercool Labs I used in Part 1 and I will be using a Batch File
“assumed_FUD_payload.bat” to demonstrate this. Why Batch File? Not just because it is my favor
-ite scripting language but also because Batch files are regularly used in infection chains by Threat
Actors and APTs. Don’t believe me?. Well let’s have a look at the latest infection chain of
AsyncRAT.

Or the infection chain of Zloader.


5

Now, let’s jump to practical. We will use the same malware code we created in Part 1 of this serie-
s.

But before we deal with this code, I will create another Batch file “named “hc.bat” with code
“start powershell.exe” to explain obfuscation to you clearly.
6

As you might already know, executing this Batch file opens a PowerShell window as shown below
7
Now, let’s try obfuscating this payload. The method of obfuscation I am going to show you has
been used by popular malware known as SeroXen RAT in its BATcloak engine to make itself
FUD (Fully UnDetectable) in 2023.
Do you know Batch Script has variables? Let’s set some variables using the “set” command in
Batch. Here it is. I set values “start” and “powershell.exe” to variables “a” and “b” respectively.

We can call this variable by enclosing them in “percentile” sign after setting the variables. I save
and execute it.

The result is same. It opens a PowerShell window as shown in above image. But the code can be
easily understood. Let’s obfuscate it further.
Malware authors usually use a combination of encryption and obfuscation techniques
to create a Fully UnDetectable payload.
8

Once again, the result is same.

Now, let’s try the same technique on ‘assumed_FUD_payload.bat’ file.


9

Let’s test this obfuscated payload on VirusTotal.


10

Well, as you can see, the detection rate is now zero. Before obfuscation, its detection rate was
17/58.

Here it is. A completely Fully UnDetectable (FUD) payload. Now, let’s have a look at our encrypt
-ed payloads we created in Part 1 of this series. Here is Xen_FUD_payload.ps1.
The purpose of Obfuscation is to make the code of a program difficult to understand
or detect by both humans and computers without making any
changes to how the program works. It intends to
hide the presence of malicious intention
completely.
11
12

Now, compare their code with our obfuscated payload.


13
What is the difference you see? Well, I will tell you the difference if you don’t notice anything. Let
me give you an example, Imagine, you are hanging out with your group of friends may be say a
group of six or at least 3. You are chitchatting in English. Suddenly, two members of the group sta
-rt speaking in French. You don’t know a bit about French (just like me) but you know they are tal
-king something probably which they don’t want you to understand. Well, that is encryption for
you. Now just imagine these two friends communicating with subtle hand gestures, handshakes,
hifi’s or facial gestures etc.
These all are common in a friendship and you don’t notice anything. Well this is obfuscation.
Similarly, when the encrypted payloads are submitted to a malware analysis engine, it may not
understand anything about the code, but it knows the code is up to something. Otherwise why do-
es it need to encrypt its code. Then, it tries to break the encryption to check what it’s doing. If it fa
-ils to break the encryption of the payload, it is a FUD payload. While dealing with obfuscated
payload, the malware analysis engine can see the commands like “del, drive, system” but it cannot
relate them. The code becomes obscure. What more is left to done? Except maybe changing the
name of the payload from assumed_FUD_payload to FUD_payload.

USEFUL RESOURCES

https://haveibeenpwned.com

Follow Hackercool Magazine For Latest Updates

You might also like