When it comes to Antivirus Solution and Malware Developers the arms race is often referred to as a cat and mouse game. The question is who is the cat and who is the mouse?
This article will discuss techniques to bypass traditional Antivirus Solutions and Next Gen EDR Solutions.
The methods by which Antivirus Solutions detect malware fall under two distinct categories: Signature Based Detection and Heuristics (Behavioural) Detection.
Antivirus has not changed a lot over the last 17 years when I first discovered a passion in bypassing it. Once upon a time you could take a “malicious” binary i.e. a RAT and use a binary packer such as a modified version of UPX or a binary protector to bypass most Antivirus programs. Those days are now long gone and bypassing Antivirus is now a process that takes time and effort, the game is no longer trivial, it is now a Blackbox game of trial and error.
Before Heuristics were introduced into the game, a popular technique for bypassing Antivirus used to be using a file splitter to split the binary into multiple pieces and scanning each piece with the antivirus engine to narrow down where the signature was located. You would then open this piece in a Hex Editor such as Hex Workshop and try to zero out the signature by using 0’s in the hex code. This technique was sometimes effective but on occasion it could break the binary due to a critical function in the code base being zeroed out.
Back in the day most RATs were written in Delphi, oh the days of Delphi. One could find lots of publicly available Delphi code on forums such as ChaseNET, the home of PoisonIvy and Bifrost. Once you acquired this source code you could bypass Signature Detection by renaming namespaces, functions, and variables. The same applies today for publicly available RATS written in C#. This is a time consuming Blackbox game of trial and error but with determination it can be done. To test compiled payloads, non-distributing multi-engine antivirus scanners such as https://avcheck.net/ can be used.
To bypass modern Heuristics it is important to use a process injection method that Antivirus or EDR Solutions can not flag due to having visibility of the Windows API calls. In C# this can be achieved by implementing DInvoke into your shellcode injector toolset, see the below blog for further technical detail on this:
When injecting into a process it should also be noted that a memory scan will be triggered by AV solutions such as ESET if you inject into a process that does not usually perform network activity. It is best to inject into iexplore.exe or firefox.exe to avoid this as Web Browser processes are expected to perform network activity.