X-Industry

Bypassing Antivirus using Amber (Reflective PE Packer)

Posted by Aureanna Hakenson on January 16, 2018 at 3:17pm

TACTICAL CYBER INTELLIGENCE REPORT

Actor Type: II
Serial: TR-18-009-001
Countries: IN, CN
Report Date: 20180109

Bypassing Antivirus using Amber (Reflective PE Packer)

Amber is a proof-of-concept tool used for bypassing antivirus software.  Amber uses techniques that convert Portable Executables (PEs) to reflectively load those PEs.  This can be used as a multi-stage payload for infection on a target system.  It was developed by Ege Balci and takes advantage of in-memory execution methods.  In-memory fileless execution can be defined as executing a compiled PE inside the memory, without actually writing data to the storage.  This results in fewer footprints, as the malware does not leave a file on the hard drive.  This method also makes it difficult for any antivirus or antimalware solutions to be used for detection.

Technical Details[1]:

The fundamental goal of the process is to execute the binary inside the operating system (OS) memory.  The following process is followed by Amber:

  1. For generating the actual Amber payload, the first packer creates a memory mapping image of the malware. This generates a memory mapping file which contains all sections, optional PE header and a null byte padding – used for unallocated memory space between sections.

  2. After obtaining the mapping of the malware, a packer checks the Address Space Layout Randomization (ASLR) compatibility of the supplied EXE.  If the EXE is an ASLR compatible packer, it adds the related Amber stub.  If not, it uses the stub for EXE files that has fixed an image base.  From this point, Amber payload is completed.

Installation:

To install Amber, a user must follow these steps:

git clone https://github.com/EgeBalci/Amber.git

Using an Metasploit Stage for Executing Payloads:

Amber will contain 2 parts:

  1. The stager - a Metasploit stage module used to bring the actual payload on the target computer.  
  2. The actual payload file, which will execute on the target system, is generated using the following commands

The generated file is Windows executable, which will be packed using Amber. This creates a file named, payload3.exe.stage. This file is used as the handler.

Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Prepared:      Wapack Labs Asia Desk
Reviewed:     B. Schenkelberg
Approved:     J. Stutzman

Views: 484
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!