TACTICAL CYBER INTELLIGENCE REPORT
Actor Type: II
Serial: TR-18-009-001
Countries: IN, CN
Report Date: 20180109
Bypassing Antivirus using Amber (Reflective PE Packer)
Amber is a proof-of-concept tool used for bypassing antivirus software. Amber uses techniques that convert Portable Executables (PEs) to reflectively load those PEs. This can be used as a multi-stage payload for infection on a target system. It was developed by Ege Balci and takes advantage of in-memory execution methods. In-memory fileless execution can be defined as executing a compiled PE inside the memory, without actually writing data to the storage. This results in fewer footprints, as the malware does not leave a file on the hard drive. This method also makes it difficult for any antivirus or antimalware solutions to be used for detection.
Technical Details[1]:
The fundamental goal of the process is to execute the binary inside the operating system (OS) memory. The following process is followed by Amber:
- For generating the actual Amber payload, the first packer creates a memory mapping image of the malware. This generates a memory mapping file which contains all sections, optional PE header and a null byte padding – used for unallocated memory space between sections.
- After obtaining the mapping of the malware, a packer checks the Address Space Layout Randomization (ASLR) compatibility of the supplied EXE. If the EXE is an ASLR compatible packer, it adds the related Amber stub. If not, it uses the stub for EXE files that has fixed an image base. From this point, Amber payload is completed.
Installation:
To install Amber, a user must follow these steps:
git clone https://github.com/EgeBalci/Amber.git |
Using an Metasploit Stage for Executing Payloads:
Amber will contain 2 parts:
- The stager - a Metasploit stage module used to bring the actual payload on the target computer.
- The actual payload file, which will execute on the target system, is generated using the following commands
The generated file is Windows executable, which will be packed using Amber. This creates a file named, payload3.exe.stage. This file is used as the handler.
Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
Prepared: Wapack Labs Asia Desk
Reviewed: B. Schenkelberg
Approved: J. Stutzman
Comments