Build Undetectable Malware
Before we begin, I would like to clarify that this article is for educational and entertainment purposes.
🤓 In this article, I’m about to embark on a coding adventure in C++, a language I barely know, to show you how I managed to whip up a malware with persistence, a keylogger, a reverse PowerShell with SSL, and all that jazz in just one day! But fear not, my mischievous creation shall remain undetectable… for now. 😈💻🔒
Here’s a glimpse into how I envisioned the malware, consisting primarily of two main parts: the local command section and the PowerShell command section. But before we delve into these functionalities, we need to navigate the intricate world of sandbox bypass techniques to elude both static and dynamic antivirus analysis. This is where the fun begins, as we play a game of cat and mouse with detection mechanisms to keep our cunning creation alive. 🐱🐭💻🔒
In this screenshot, you can observe my coding style, which resembles either Golang or C 🖥️, but it doesn’t really matter because I will explain some of the key functions and talk about the server… which, by the way, is implemented in Python 🐍.
Let’s start with the main functions. First, we have the persistence function, which allows the malware to stealthily reinstall itself after a system reboot by adding a shortcut to the shell:startup 🔄. Next, we have the keylogger function, which discreetly records all keyboard keystrokes made by the user ⌨️. However, I must admit that this functionality is not yet fully refined, as I have noticed some errors during conversion in certain situations 🐞.
Now, let’s move on to the crucial role of the server in handling commands and communicating with the malware 📡. This communication takes place through network sockets and is secured using SSL/TLS protocols 🔒.
Before we delve further into the analysis, here is the link to the project’s repository on GitHub:
This repository holds all the coding magic, ready to be explored and unraveled 🧙♂️💻. Dive into the depths of this mysterious project and uncover its best-kept secrets. But remember, with great power comes great responsibility ⚡️⚙️.
POC
We will proceed with functional testing of the malware to create a proof of concept (POC) of what we have coded. The main objective of these tests is to verify the proper functioning of the various features we have implemented, such as persistence, keylogging, and PowerShell commands. These tests will allow us to assess whether the malware works as intended and if it can reliably perform its tasks. They will also help us identify any issues or bugs and address them before any real-world usage.
Analysis 🕵️♂️
Now comes the interesting part — let’s see how antivirus software reacts to our malware! Will they be welcoming or hostile? 🤔
The primary objective of this analysis is to assess the detection capabilities of antivirus programs when faced with our malware. We want to understand whether our carefully crafted code and stealthy techniques can evade detection or if they trigger alarm bells 🚨.
We might observe that at first glance, our malware does not trigger any detections. However, to obtain more comprehensive results, we will still use VirusTotal.
Before we proceed, I would like to mention that the function names in our program and certain string literals, particularly the local commands, are not obfuscated, which could make static detection easier. Additionally, the sandbox function is not active in the version submitted to .
VirusTotal check :
I consider this a success since the detections mainly came from antivirus software known for their false positives and relying primarily on static analysis and string detection.
We can even observe that certain MITRE techniques are being detected, precisely as anticipated.
for more see here :
