Skip to main content

Crafting Malicious Software for Penetration Testers: A Guide from Novice to Pro

Illustration of Crafting Malicious Software for Penetration Testers: A Guide from Novice to Pro
Dominik Antończak

Sunday evening, you are preparing an email message for several company employees. Everything is polished, and the message is clear and convincing. The email includes a link to a server hosting malware that aligns perfectly with the company profile. The phishing campaign is about to begin. Before it does, you check everything again and say to yourself, “Perfect.” Just after that, you run the program that sends your phishing emails. The next day, around 8:30 – 9:00, you check the logs and see that 3/4 of the targeted employees have downloaded the hosted malware, so probably at least half of them ran it. It’s time to check the C2 (Command and Control server) for any beacons, but for some reason, there are none. What happened, you wonder? Thoughts start to appear. Was my malware detected by AV software? You open your browser, enter VirusTotal, and upload the file. After the analysis, you already know why no session was established. Your malware stood out more than Christmas lights. ‘Mission failed,’ unfortunately…

If you have ever checked C2 executables, you know that most AV software has prepared signatures and can easily detect them both statically and behaviorally. In this article, I will present my list of several levels of advancement in creating malware, which is important for red teamers and pentesters to develop undetectable tools. I will generally show which techniques can reduce the detection rate.

Preparing environment

In this article, I will show scan results using VirusTotal, but for your own research, it’s best to have your own environment to scan your samples. Some people say it is safe to upload your samples there, while others say it’s like shooting yourself in the foot. It’s important to note that VirusTotal and other services could analyze your software and prepare signatures that will expose your operation and techniques. My suggestion is to avoid taking that risk.

To prepare a test environment, a Windows 10/11 virtual machine will be needed. After installing and updating it, it’s best to make a clean copy of that image to quickly prepare other VMs. Now we need to install AVs. According to my research, we can install the following AVs for free or in trial versions:

  • AVAST
  • ESET
  • Malwarebytes
  • Bitdefender
  • McAfee
  • Sophos
  • Kaspersky
  • Windows Defender (obviously :)

It is best to have a separate VM for each of these antivirus software. Additionally, the VM should be restricted to the host network only, so the AVs won’t send any samples to the cloud. With this setup, we will be able to send our malware and receive sessions and beacons from these machines if our malware successfully bypasses security solutions.

Now that we have prepared our environment, it is time to focus on the malware. In this post, I will mainly show you the results of each technique on VirusTotal (because of the number of AVs operating there). The advancement of malware has been divided into several sections: beginner, pentester, adversary, and Pro.

Beginner

This type of “malware developer” focuses mostly on using already published solutions like known C2 (Metasploit, Sliver, Havoc, etc.) without any modification. Eventually, they may add some built-in encoders like shikata_ga_nai or any other publicly available ones.

Beginner malware

Sending this payload to VirusTotal resulted in below detection rate:

Detection rate

Additionally, msfvenom payload with shikata_ga_nai encoding was uploaded:

Encoded payload

As you can see, both scans resulted in a high detection rate. Since many of us rely on pre-built solutions, being able to establish sessions, deploy beacons, or execute malicious files like Mimikatz without detection becomes a crucial skill.

Pentester

A level above that is the pentester. This type of developer knows some basic injection techniques that allow them to bypass certain security solutions. Some of these techniques include:

Additionally, to reduce detection rate, XOR encryption was used. So now let’s test this techniques against popular AV programs.

We will start with APC Injection, for which detection rate is shown below:

APC Injection detection

We will also check next technique which is a Local Mapping Injection:

Local Mapping Injection

As we’ve seen, detectability has been reduced by half, which provides a significant advantage. However, malware development doesn’t stop there. There are many techniques and improvements that can still be implemented.

Adversary

The next set of techniques is more advanced, so we move to the adversary level. At this stage, we see a higher level of sophistication. Instead of using “high-level” functions, the malware creator can utilize Syscalls (direct or indirect). It’s best to illustrate this with a picture (source: https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/):

Syscall process

The above image illustrates the process of using the OpenProcess() function. Instead of using OpenProcess(), an attacker can use the NtOpenProcess() syscall, which can help reduce detectability because antivirus systems may not have the capability to scan low-level functions. Syscalls are divided into:

  • Direct: these originate directly from the malware itself, bypassing the standard API calls provided by the operating system. While easier to implement than indirect syscalls, they can still be effective in evading detection because they bypass the standard API monitoring mechanisms.

  • Indirect: in this case, instead of directly calling the syscall, the malware uses techniques like jumping to a specific memory address where the syscall is located within the ntdll.dll library. This method can make the malicious activity appear more legitimate since it’s using standard library functions, potentially helping to evade detection.

By using Syscalls standard techniques can be enhanced to be stealthier!

Below is an implementation of APC injection Syscalls using SysWhispers (https://github.com/jthuraisamy/SysWhispers), which executes direct syscalls:

SysWhispers implementation

Still, 22/74 it is pretty high score but there are other direct syscall techniques like HellsGate. I recommend reading below to enhance your skills:

Be aware that I did not make any changes in these programs which could reduce detection rate. Next scanned file use HellsGate direct syscall technique:

HellsGate technique

Wow! 9/70 is quite a good score - not perfect, but still good! By adding additional security measures like anti-debugging and anti-VM techniques, obfuscations, hiding used Windows APIs, and much more, we can delve even deeper!

Pro

The final stage of is Pro level. A deep understanding of targeted systems, the use of advanced techniques allowing for the manipulation of processes and the system itself to execute payloads in an undetectable manner, which won’t even be flagged by EDRs, is crucial. Sending such finely crafted payloads to external systems isn’t a sensible idea. Honestly, it’s best to limit detectability testing to your own environment, as described at the beginning.

Some examples of techniques that can be used by advanced malware developer includes:

  • String Hashing – self explaining ;)
  • IAT Hiding by using custom GetProcAddress and GetModuleHandle – Import Address Table (IAT) is a place in which binary tells which functions are imported. This can be used to detect if program could be malicious. Using custom GetProcAddress & GetModuleHandle can hide used WinAPIs
  • API Hashing – Using custom hashing technique like djb2 combined with custom GetProcAddress & GetModuleHandle will hide libraries in IAT
  • CRT Library Removal – CRT (Microsoft C Run-Time Library) is a library that contains many functions like malloc, strcpy, printf etc. removing it from a build and replacing these functions with custom once can reduce detection rate
  • Signing malware with certificate – using code signing certificate as above-mentioned techniques help reducing detection rate. One of less ethical (even illegal) maneuver is using leaked certificate. Known certificate are highly trusted can even hide minimally edited C2 payloads.
  • Using sophisticated injection techniques – Process Hollowing, Ghost Process Injection, Herpaderping Process Injection. I recommend reading about these techniques because there is a lot of explaining ;)

Alright, as a bonus, I’ll show you what really refined malware can do with some of mentioned techniques! In the prepared malware, I’m loading a modified Sliver beacon (https://github.com/BishopFox/sliver). The loader itself incorporates many techniques, resulting in bypassing ESET antivirus:

ESET bypass

Phenomenally! As you can see, proper malware preparation can bypass advanced antivirus software. Of course this is just an example, different antivirus will need different techniques so if you want to be in Pro group, you will need to experiment.

In the case of being the target of an APT group or a skilled hacker, we can only hope that the attacker makes a mistake that leads to detection. Therefore, it’s crucial to be careful about what runs on both personal and company devices, as it can lead to dire consequences. Also this highlights the need of cybersecurity trainings, which will allow employees to detect suspicious e-mails or files and report them to security teams.

Other Insights

Illustration of How NOT to store data in a desktop application?

How NOT to store data in a desktop application?

Mateusz Lewczak

Due to their offline nature, desktop applications often struggle with storing sensitive data in a secure way. Many developers mistakenly believe that compiling an application automatically secures the data within it. This approach is especially common in applications written in languages that are easy to decompile, like for example .NET. However, the truth is that no matter what technology is used, various techniques can still be used to access unprotected confidential information, which can lead to major security breaches. In this article, we'll take a look at some common methods that can be used to access supposedly secure information from desktop applications. We will also discuss the potential impacts of these vulnerabilities.

READ article
Illustration of Key Insights from Red Team Testing

Key Insights from Red Team Testing

krystian działowy

The goal of Red Team testing is to gain access to a company's internal network using various external, internal, or social engineering attacks. In other words, practically all methods are allowed, and the auditors' objective is to breach the internal network and carry out as many malicious operations as possible. In one of our recent tests of this type, our team, equipped with a wide range of scenarios, successfully infiltrated the client's internal network, gaining access to numerous resources where we obtained credentials to critical assets, such as databases and email accounts.

READ article
Illustration of From low-privileged user to Remote Code Execution: step-by-step pentest journey

From low-privileged user to Remote Code Execution: step-by-step pentest journey

Adam Borczyk

In the world of web application security, some vulnerabilities are naturally less impactful than others. We often hear about direct, short, and simple attacks that can compromise an entire server or application. Sometimes, however, it is chaining multiple, less dangerous vulnerabilities that leads to serious consequences. Here we will go through a case from one of the pentests from a couple of weeks ago, where having a low-privileged user account allowed us first to read the application source code, then to escalate to admin, and finally to obtain remote code execution.

READ article
A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?

Happy to get a call or email
and help!

Contact Us