Hello aspiring ethical hackers. In our previous blogpost, you learnt about most popular antivirus bypass techniques used. In this article, you will learn about EXOCET – a  AV-evading, undetectable, payload delivery tool. EXOCET is a Crypter type malware dropper. A Crypter is a software that is used to make malware undetectable. It performs functions such as encrypting, obfuscating and manipulating the code of the malware to make it undetectable.
EXOCET is one such Crypter-type malware dropper that can be used to recycle easily detectable malware payloads. EXOCET achieves this by encrypting those malware files using AES-GCM (Galois/Counter Mode) and then create a dropper file for a majority of target architectures and platforms.
Written in Golang programming language, the steps involved in making malware undetectable by EXOCET are,
- It first takes malware that is easily detectable by Anti Virus engines as input.
- It then encrypts this easily detectable malware and produces it’s own Go file.
- This Go file can be cross-compiled to 99% of known architectures like Linux, Windows, Macs, Unix, Android and IPhone etc.
- Upon execution, the encrypted payload is written to the disk and immediately executed on the command line.
Let’s see how it works. For this we will be using Kali Linux. First, we need to install Golang on Kali as Exocet is a GO program.
Once Golang is successfully installed, clone the repository of Exocet from GitHub. It can be downloaded from here.
We need to install the EXOCET source files in golang. We can do this using the command shown below.
Exocet is successfully installed. Now, let’s test it. We create a reverse shell payload with Msfvenom first.
We copy this payload to our target system which is Windows 10. The Windows Defender easily detects it (obviously) and classifies it as malware.
This is expected. Next, We copy this easily detectable payload to the directory of Exocet.
Then we run the following command using Exocet. This will create a new golang file called outputmalware.go.
Then we run the following command to create a Windows 64 bit payload.
Our result is the exocet_payload.exe. We start a Metasploit listener on the attacker system and copy the Exocet payload to the target.
This time the payload goes undetected as shown below.
This is how we create AV evading payloads with EXOCET. Next learn about AV|ATOR, another tool that can create AV-evading payloads.
Follow Us
