Is your antivirus really secure? Testing Powershell payload obfuscated with Chimera

Ariel Jacob
6 min readApr 17, 2023

--

In this short post I’m going to show how most antiviruses can’t detect simple Powershell payload obfuscation tests done with Chimera.

We can’t trust the rankings

When it comes to cybersecurity, one of the most widespread protections both at home and in companies is antivirus. But when choosing which antivirus is better, we usually get into a kind of chaos of features -free or premium- and heuristic detection functions, anti-theft mechanisms, anti-cracking, anti-phishing, anti-spyware, among many others. We usually resort to the trusted search engine, read tons of articles, watch countless minutes of videos from specialist channels, to end up even more confused with the “rankings” of “the best antivirus 2023”, which are actually subjective opinions or paid by the same antivirus companies.

What is the basic feature that makes one antivirus better than another?

Malware detection.

That’s it. Period.

Therefore, the best way to know which antivirus is NOT suitable for us is to do some tests to see if it detects malware, specifically an obfuscated powershell reverse-shell.

⚠️ Disclaimer: Do not test for malware on your personal machine as it could damage your system unless you know what you are doing. This specific test is with a harmless reverse shell in PoC mode. This example is shown for ethical purposes, and is in no way a recommendation for you to do it to another person without their consent.

The Test

The purpose of the test is to check whether Norton360 and Kaspersky antivirus detect the download of a malicious file that contains an obfuscated powershell reverse shell.

The test will consist of taking a generic powershell reverse-shell payload, obfuscating it with the Chimera obfuscation tool, hosting it with a python server, and attempting to download it on the target machine. Important: we must configure the kali machine and the windows machine as part of the same network so that when hosting the python server in kali, it is accessible by the windows machine.

Powershell shell and Obfuscation with Chimera

Chimera is a PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1’s known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.

You can install chimera following its instructions in the repository:

https://github.com/tokyoneon/Chimera

sudo apt-get update && sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git
sudo git clone <https://github.com/tokyoneon/chimera> /opt/chimera
sudo chown $USER:$USER -R /opt/chimera/; cd /opt/chimera/
sudo chmod +x chimera.sh; ./chimera.sh --help

Within the shells that Chimera brings, we chose the Invoke-PowerShellTcp.ps1

We edited with nano and added our IP address of the kali machine for the reverse shell connection.

We go back to where the chimera executable is and run the following command to obfuscate the payload:

❯ ./chimera.sh --file ./malware_repo/Invoke-PowerShellTcp.ps1 --all --output ./malware_repo/virus.ps1

In the command we pass the file we want to obfuscate with the ‘— file’ flag, we indicate all the obfuscations with and ‘ — all’ and an output with ‘ — output’.

The tool will perform a series of code obfuscations:

Nishang ofuscation
Commnent substitution
Function Substitution
Variable Substitution
IP Address Substitution
Data Type Substitution
String Substitution
Comment Insertion
Comment Substitution
Indentation Randomization
Trigger Keyword Search

Once the obfuscated payload is obtained, we place both in a directory that we are going to host with a python server:

Testing Norton360 (paid licence)

When we try to download the shell without obfuscating it detects it.

When we want to download the obfuscated shell, it allows it. It does not detect that it is malware. We run with powershell and get reverse shell.

Testing Kaspersky Premium (paid licence)

In this case we have a better result: it detects the unobfuscated executable and also the obfuscated one.

Detection of powershell executable without obfuscation:

When we downloaded the obfuscated virus.ps1, we verified that it detected it heuristically in the browser cache:

To conclude, we uploaded both payloads to VirusTotal and verified the results. In the case of the obfuscated powershell, only 5 antiviruses detected it. Among them are Kaspersky, ESET NOD32, Google, Sophos, Zone Alarm by Chekpoint.

In addition, we see how those antiviruses that are positioned in the rankings of the best antiviruses and with awards, such as AhnLab-V3, AVG and AVAST (now merged with Norton), did not detect a simple generic powershell. For reference, the list of AV-TEST.

Conclusion

It can be concluded that if these antiviruses do not detect simple payloads obfuscated by available open-source tools, then much less more sophisticated malware with more complex obfuscations.

Of course, this is a very short test and one that needs to be developed further. My intention was to show you the seriousness of the non-detection of simple obfuscated payloads with public tools by recognized antivirus that charge you money to protect you.

I invite you to look into the spectacular evidence and research by Red Team researchers on this topic of antivirus obfuscations and evasions.

Until next time!
Good hack!

References
The idea for this post arose in part after watching Ciberu’s video on antivirus.

https://www.youtube.com/watch?v=ZF2QVHNbJ9c

--

--