Alaris is a new and sneaky shellcode loader capable of bypassing most EDR systems as of today (02/28/2021). It uses several known TTP’s that help protect the malware and it’s execution flow. Some of these features are:
-
Shellcode Encryption (AES-CBC 256)
-
Direct x86 Syscalls via @Jackson T’s new SyWhispers2
-
Prevents 3rd party (non-Microsoft Signed) DLL’s from hooking or injecting both the parent and child processes.
-
Parent Process ID spoofing
-
Overwrites it’s own shellcode after execution.
To get a full understanding on how Alaris works, see my post here.
As on February 28th, 2021, several changes have been made:
-
You can now easily build Alaris with the Python3
builder.pytool. -
Moved from SysWhispers to SysWhispers2
-
Key and IV are now dynamic for each build via PBKDF2
The easiest method to build Alaris is with builder.py. I assume the following when you’re building a new Alaris loader:
-
You are compiling on a Windows host. Preferably, Windows 10.
-
You have Visual Studio 2019+ [Community, Professional] installed with C++ (See example here)
-
You have Python3 installed and have
pip install -r requirements.txt
usage: builder.py [-h] -s -p [-o]
optional arguments:
-h, --help show this help message and exit
-s, --shellcode Path to RAW shellcode file
-p, --password Encryption Passphrase
-o, --out Output Path for compiled binary# Output Compiled Binary to CWD
python3 builder.py -s C:\Users\admin\payload.bin -p example_password
# Output Compiled Binary to a path of your choosing.
python3 builder.py -s C:\Users\admin\payload.bin -p example_password -o C:\Users\admin\Desktop\my_alaris
