-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
One question Bytecode77! ^- ^ #10
Comments
Powershell basically executes So you have two options: or 2.) Copy the entire code of the Just keep in mind that elevated privileges are needed for the r77 service to start. As described in the documentation, a rootkit that only injects non-elevated processes would not give you any benefit. Since you're using r77, I'm guessing that your product has elevated privileges at least once to install r77. |
I would still re-open this issue, as it points out that Windows Defender is detecting execution of Powershell with this specific command line. This problem has been raised in issue #9 as well and needs further investigation. I will close this issue, once I have managed to evade AV detection of the startup routine, |
Well yes, in my case, I use as AV, NOD32, I'm using as a stealth module for my project, a modified version of your Rootkit r77(Which is awesome!), and the truth, everything works as you would expect, but when you install the R77, NOD32 detects the rootkit injection as malware, specifically as a trojan. That yes, even being detected in Runetime, the Rootkit ends up installing without any problem. Anyway, I'm still investigating the options you told me and if I find any other way I'll comment it here! ^- ^ |
Ohh, you gonna update r77 ? |
I have a "fix solution" but its not a Bypass, its like an AV killer, maybe, so.... 😅😅 |
I was just going through the open issues yesterday. I left this one open, as I have found out Windows Defender might be blocking the startup of r77. Yesterday I finally got the time to investigate it, but then it was not blocked by Defender. So apparently, it's blocked by NOD32, is that correct? Is the execution of Install.exe from disk blocked by your AV, or is the Powershell startup routine blocked? Because if Install.exe is blocked at scantime, you would need to RunPE the installer. Since you implement the installation routine directly in your project, I'm guessing you mean the Powershell startup is blocked. Could you share your experience with AV? It's hard to test r77 with all of the AV's, that's why feedback is very welcome :) And of course, if the Powershell startup is blocked, that is indeed in scope of r77. If it's just the installer executable, then RunPE is the solution. |
Actually, r77 its detected at runetime by NOD32, I dont know if another AV block r77 startup or not, but when I scan the install.exe on AntiScan.me r77 its detected by some AV... Im sure, this is fault to RAT Venom Software, who use the r77 to hide the startup payload in the victim machine. At this moment, I have a "temporally solution" with Windows Defender. With this command implemented in my project, I can disable Windows Defender to execute a clean Installation of r77 :
When the rootkit is sucessfully installed, I just enable again WD. I am working right now, in a project, to deactivate any AV in the market. I said KILL, NOT BYPASS.... But well, right now I'm also doing several things in my life, (studies, work, etc...) and my time is not pressing. When I have more news, I will update the post, but for the moment this is all the news I have. I have been trying to integrate in RunPE the r77 to my project, but I do not know if it is because it includes Costura.Cody to assemble all the .DLL inside my project or that... I have not been able to make that it functions, for the moment. |
Me, too. I have job, wife, friends, obligations, etc... That's why I sometimes need a few days or weeks to reply on a thread, etc... Killing AV seems like a working approach. Just keep in mind there are two ways that r77 is detected and blocked by AV: At scantime, Install.exe is detected and execution is blocked For this, the only viable approach would be storing an encrypted version of Install.exe, decrypting it in memory and using RunPE to create a process of it. Note, that this executable is 32-bit and the process that runs it using RunPE must be 32-bit, too. Internally, r77 uses RunPE and reflective DLL loading, to avoid any files on the disk, since this is a sure fire way to get detected and removed. Alternatively, replicating the installer's logic in your code like you did is a very nice approach, too. At runtime, the Powershell commandline or DLL injection is blocked If this happens, then I need implement some precautions to avoid it. It doesn't happen with Windows Defender. Defender only detects Install.exe at scantime. If this happens with NOD32, please let me know and I'll try to figure something out. |
Yes, yes, r77 its several detected by NOD32 when Install.exe execute the InstallStager part. The rootkit semms working anyways, but get detected too. 😌 |
I have installed NOD32 in a VM and it does block the stager that's supposed to RunPE both instances of the r77 service. Since AV evasion is always a daunting task, I can't tell exactly when there will be a bugfix, But it's number 1 priority for r77 and I'll post back once I've figured out how to evade detection. |
Very well, I am very busy right now with other projects, when I resume work with r77, I will try to find a solution. As long as I can come up with a solution for AV's evasion, but keep in mind, that thanks to the remote administration tool "VENOM" (the old version), r77 is detected by most AV's (you can check it by uploading the "*.DLL" or the "Install.EXE" of r77 to http://www.antiscan.me/). The only experiences that I have been able to verify by myself about the detection of r77, have been with Windows Defender and NOD32. Well, I hope that together we can find a possible solution to the detection issue. ^- ^ |
Me, too. I'm also very busy most of the time and therefore it can sometimes take a while before I respond or actually get to fix issues. I was working on r77 for about 3-4 months before I released version 1.0.0. And I really appreciate any contribution from you, the community, that helps in improving my projects :) Particularly AV evasion is a complicated task. I just checked out "VENOM" - and it seems like they're using the old 0.6.0 version of the rootkit. This version is a very early beta that did not even work properly in x86 and it only hides processes and files. This rat also drops the DLL's to disk and uses LoadAppInit_DLLs to inject the rootkit. This by the way is not compatible with secure boot enabled. That's why I've put so much effort into implementing reflective DLL loading to make it 100% fileless. "LoadAppInit_DLLs" is simply no longer useful. My rootkit stands out by the fact that it's both fileless and handles installation all by itself and out-of-the-box. I will do what it takes to keep improving it and making it FUD. |
Yesterday, NOD32 trial activation didn't work in my VM. Today I took another test run. This is what I've noticed so far:
Funny ambiguous detection... It seems like the only weak spot is the powershell initializer that gets detected. If this is really the case, then that's a fortunate discovery and I'll try to figure out a way to change it so that it doesn't get detected. |
Yes, as I told you some time ago, the problem lies in the initialization of the rootkit using Powershell. That's why, when I opened the post, I asked you if it could be initialized using C#/C++ and thus avoid the use of Powershell. 🙃🙃 |
Since r77 is fileless, it must be some file that is part of the operating system to initialize the rootkit. Powershell is excellent, because it can load C# executables from registry and invoke them. At the very minimum, some OS executable must be able to perform a RunPE. The alternative is to drop exe files, which would not be fileless anymore. I'm currently also working on a new version of my crypter where I've done some research on anti emulation techniques. This is an excerpt of the emulation detection:
The first method seems to be very effective, even though it's 5 years old. I've done lots of tests, where I drop EICAR only and test single emulation detection routines seperately. I can confirm that the above methods work (May 2021). C#
This is something that an emulator typically can't handle. Could you try to add this to the very beginning of the |
Ohh, looks like a VERY INTERESTING proposal, I'm not at home right now, I'm away on a trip, this weekend I'll try to take a look at it, see if this solves the InstallStager detection! PS : You are awesome, how can you find time for everything ?? 😜 |
Hold on for a second... I have done additional testing. It seems like NOD32 occasionally slips detection, but anti emulation techniques in the stager still not make the startup undetectable. The problem is actually AMSI. This interface sends So, the new goal is to bypass AMSI before the payload is read from the registry and executed using I'll keep working on figuring this out. Any community input from anybody reading this is greatly appreciated! |
Ohh, I see, so AMSI is the problem? I will look for more information on this, and investigate possible ways to disable AMSI from Powershell. 🤔🤞 |
AMSI is not the problem with NOD32 in particular, but rather the HIPS. It's detecting the api call sequence of the RunPE in the stager, which is what gets r77 caught. These are the changes I have made so far:
These changes are currently only on the dev-Branch. You can compile yourself and preview them, if you want. Currently, NOD32 no longer removes r77 from the system, but still detects it and in turn reboots the VM. From this point forward, my VM is stuck in a rebooting-cycle. I'm gonna have to figure out why NOD32 lets r77 initialize and take over the system, but still detects it. |
Yes, the truth is that very strange that it detects it, but still, r77 work normally? 🤔 Currently RunPE is the best way to initialize the stager, but couldn't some morphosis system be used ? Maybe combining the r77 with the auto-morph project would make it more invisible to AV's. idk. |
r77 1.2.1 is available.As of now, r77 is no longer detected or removed by NOD32. Several AV/EDR bypass techniques have been implemented. Check out the changelog and section 4.5 AV Evasion Techniques. Note: If you integrate r77 by invoking Install.exe using process hollowing, you need to perform DLL unhooking as described in the documentation. r77 should now run peacefully along with NOD32 installed. Please confirm and close the issue, if this is the case. And thank you very much for bringing this to my attention! Typically, too many times, GitHub issues revolve around users requiring help with the usage of tools. However, your issue brought a really important topic to the surface that required fixing and brought improvement to the project. |
WoW ! I'm sorry I couldn't answer you or reply, but I've been without internet for a week :/// Well, I'm going to try the new version, to see if I find any bug together with NOD32 ! ^- ^ I appreciate your attention and that you are a developer so attentive to his projects and with encouragement to continue to evolve ! Do you have a contact email that you can pass me ? PS: Thanks again man! EDITNow works perfectly with NOD32! ❤️🔥 |
[ ·> NEW ISSUE / DETECTION WITH NOD32 <· ]NOD32 Updated to trigger the entire injection of Install.exe { r77 } Some details :Video Proof : https://screenrec.com/share/ZCq3uLovFY |
I can confirm that NOD32 has updated detection routines for runtime detection and I'll have a look at it. However, fixing a detection will never fix it permanentaly, because this is a public release. I'll still look into it, but I can't tell how long it will take, nor how much time I have to analyze (it depends...) However, what you are demonstrating in your video is that the file Also make sure to read section 4.5.2 DLL Unhooking. Because NOD32 hooks So, what you should definitely do as a baseline is:
It won't fix the current issue, but it is really important that you implement the deployment of |
I understand bytecode77, I am going to look at your documentation points [ 5 - 5.1 - 5.2 & 4.5.2 ] ^- ^ Anyway, yes, what you say is completely true, being a public version, it's complicated to keep a project of this size completely FUD, it's normal, anyway you are amazing, the attention, understanding and dedication you have, I haven't seen before in any developer. You are awesome! ❤️🔥 |
Is it possible to inject the Rootkit with C# natively or in some other way, without using PowerShell?
I say this, because the injection with PowerShell, is detected by many AV's. :://
The text was updated successfully, but these errors were encountered: