EXOCET – Tool to Create Undetectable Malware or Payload by Antivirus

EXOCET - Tool to Create Undetectable Malware or Virus by Antivirus Software

A lot of pentesters have their own method to encrypt malware that can bypass antivirus detection. Because antivirus company updating their viruses database every day, so it is important to renew to malware encryption method. There is also a lot of tool to help hacker create fully undetectable malware, but majority of the tools is not updated so malware still detected by antivirus software. Because of that i wanna share you new tool to create FUD (Fully Undetectable) malware or payload that can help you bypass antivirus software.

EXOCET – Antivirus Evading, undetectable, payload delivery tool

EXOCET is superior to Metasploit’s “Evasive Payloads” modules as EXOCET uses AES-256 in GCM Mode (Galois/Counter Mode). Metasploit’s Evasion Payloads uses a easy to detect RC4 encryption. While RC4 can decrypt faster, AES-256 is much more difficult to ascertain the intent of the malware.

EXOCET - Tool to Create Fully Undetectable Malware or Payload by Antivirus

However, it is possible to use Metasploit to build a Evasive Payload, and then chain that with EXOCET. So EXOCET will decrypt via AES-256, and then the Metasploit Evasive Payload then decrypts itself from RC4.

However, EXOCET is not limited to a single codebase or platforms that are running Python. EXOCET works on ALL supported platforms and architectures that Go supports.

Exocet Overview

EXOCET, is effectively a crypter-type malware dropper that can recycle easily detectable payloads like WannaCry, encrypt them using AES-GCM (Galois/Counter Mode), which is more secure than AES-CBC, and then create a dropper file for a majority of architectures and platforms out there.

Basically…

  1. It ingests dangerous malware that are now detectable by antivirus engines
  2. It then encrypts them and produces it’s own Go file
  3. Then that Go file can be cross-compiled to 99% of known architectures
  4. Upon execution, the encrypted payload is written to the disk and immediately executed on the command line
  5. Alternatively, instead of a file-drop, it will execute the reconstitute shellcode in memory using amenzhinsky’s go-memexec module github.com/amenzhinsky/go-memexec
  6. A custom shellcode executor is in the works, it takes ordinary C shellcode and after num-transform, it will run it by creating a new process after allocating the correct virtual address space and granting it RWX permissions on Windows

That means 32-bit, and 64-bit architectures, and it works on Linux, Windows, Macs, Unix, Android, iPhone, etc. You take, anything, and I mean ANYTHING, like the 1988 Morris Worm that nearly brought down the internet (which exploited a flaw in the fingerd listener daemon on UNIX), and make it a viable cyberweapon again.

EXOCET is designed to be used with the DSX Program, or the “Cyber Metal Gear” as I envisioned it. Being able to launch and proliferate dangerous malware without a traceable launch trail.

EXOCET is written entirely in Go.

How to use

EXOCET, regardless of which binary you use to run it, requires Golang to work. By default, it generates a crypter .go file.

  1. Windows users: Install Go Here
  2. Linux users: run sudo apt-get update && sudo apt-get install -y golang
  3. You must install the EXOCET source files in golang go get github.com/tanc7/EXOCET-AV-Evasion
  4. Sub-requirements will also be downloaded and installed
  5. For Windows and Mac x64 Users, pre-compiled binaries are in the /bin folder

Run EXOCET

go run EXOCET.go detectablemalware.exe outputmalware.go

A key is automatically generated for you. The key is 64-characters long and is entirely composed of bash and cmd.exe shell pipe redirectors to confuse and disrupt brute-forcing attempts against the key by causing unpredictable, destructive behavior on the forensic analyst’s device.

For 64-bit Windows Targets

env GOOS=windows GOARCH=amd64 go build -ldflags “-s -w” -o outputMalware.exe outputmalware.go

And out comes a outputmalware.exe file

For 64-bit MacOS Targets

env GOOS=darwin GOARCH=amd64 go build -ldflags “-s -w” -o outputMalware.macho outputmalware.go

For 64-bit Linux Targets

env GOOS=linux GOARCH=amd64 go build -ldflags “-s -w” -o outputMalware.elf outputmalware.go

See this reference on github for your parameters for other operating systems like Android Reference for Go Cross Compilation

Note that the key can still be found with the strings command, please use the upx-ucl command to pack binary to conceal the key.

Furthermore, there are prebuilt binaries that I have made, meaning you just have to run ./EXOCET or EXOCET-Windows.exe

Live Demo

exocetdemo.mp4

Incoming update

  1. Inline hooking
  2. Obfuscation by emulating BlackRota and the gobfuscate module
  3. Process hollowing
  4. Reflective DLL injection
  5. Remote process injection
  6. ThreadLocalStorage Callbacks
  7. Registration of Top-Level Exception Handlers
  8. Custom UPX packing

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 3 =