
A lot of pentesters have their own method to encrypt malware that can bypass antivirus detection. Because antivirus company updating their viruses database every day, so it is important to renew to malware encryption method. There is also a lot of tool to help hacker create fully undetectable malware, but majority of the tools is not updated so malware still detected by antivirus software. Because of that i wanna share you new tool to create FUD (Fully Undetectable) malware or payload that can help you bypass antivirus software.
EXOCET – Antivirus Evading, undetectable, payload delivery tool
EXOCET is superior to Metasploit’s “Evasive Payloads” modules as EXOCET uses AES-256 in GCM Mode (Galois/Counter Mode). Metasploit’s Evasion Payloads uses a easy to detect RC4 encryption. While RC4 can decrypt faster, AES-256 is much more difficult to ascertain the intent of the malware.

However, it is possible to use Metasploit to build a Evasive Payload, and then chain that with EXOCET. So EXOCET will decrypt via AES-256, and then the Metasploit Evasive Payload then decrypts itself from RC4.
However, EXOCET is not limited to a single codebase or platforms that are running Python. EXOCET works on ALL supported platforms and architectures that Go supports.
Exocet Overview
EXOCET, is effectively a crypter-type malware dropper that can recycle easily detectable payloads like WannaCry, encrypt them using AES-GCM (Galois/Counter Mode), which is more secure than AES-CBC, and then create a dropper file for a majority of architectures and platforms out there.
Basically…
- It ingests dangerous malware that are now detectable by antivirus engines
- It then encrypts them and produces it’s own Go file
- Then that Go file can be cross-compiled to 99% of known architectures
- Upon execution, the encrypted payload is written to the disk and immediately executed on the command line
- Alternatively, instead of a file-drop, it will execute the reconstitute shellcode in memory using amenzhinsky’s go-memexec module github.com/amenzhinsky/go-memexec
- A custom shellcode executor is in the works, it takes ordinary C shellcode and after num-transform, it will run it by creating a new process after allocating the correct virtual address space and granting it RWX permissions on Windows
That means 32-bit, and 64-bit architectures, and it works on Linux, Windows, Macs, Unix, Android, iPhone, etc. You take, anything, and I mean ANYTHING, like the 1988 Morris Worm that nearly brought down the internet (which exploited a flaw in the fingerd listener daemon on UNIX), and make it a viable cyberweapon again.
EXOCET is designed to be used with the DSX Program, or the “Cyber Metal Gear” as I envisioned it. Being able to launch and proliferate dangerous malware without a traceable launch trail.
EXOCET is written entirely in Go.
How to use
EXOCET, regardless of which binary you use to run it, requires Golang to work. By default, it generates a crypter .go file.
- Windows users: Install Go Here
- Linux users: run
sudo apt-get update && sudo apt-get install -y golang
- You must install the EXOCET source files in golang
go get github.com/tanc7/EXOCET-AV-Evasion
- Sub-requirements will also be downloaded and installed
- For Windows and Mac x64 Users, pre-compiled binaries are in the /bin folder
Run EXOCET
A key is automatically generated for you. The key is 64-characters long and is entirely composed of bash and cmd.exe shell pipe redirectors to confuse and disrupt brute-forcing attempts against the key by causing unpredictable, destructive behavior on the forensic analyst’s device.
For 64-bit Windows Targets
And out comes a outputmalware.exe
file
For 64-bit MacOS Targets
For 64-bit Linux Targets
See this reference on github for your parameters for other operating systems like Android Reference for Go Cross Compilation
Note that the key can still be found with the strings
command, please use the upx-ucl
command to pack binary to conceal the key.
Furthermore, there are prebuilt binaries that I have made, meaning you just have to run ./EXOCET
or EXOCET-Windows.exe
Live Demo
Incoming update
- Inline hooking
- Obfuscation by emulating BlackRota and the gobfuscate module
- Process hollowing
- Reflective DLL injection
- Remote process injection
- ThreadLocalStorage Callbacks
- Registration of Top-Level Exception Handlers
- Custom UPX packing