intro

Antivirus evasion techniques refer to methods used by malware authors to bypass or evade detection by antivirus software. These techniques are used to make the malware appear harmless or undetectable to the antivirus software, allowing it to go undetected and continue its malicious activities. Some common techniques used by malware authors to evade antivirus software include code obfuscation, which involves changing the code of the malware to make it difficult for the antivirus software to detect, as well as the use of packers or crypters to encrypt the malware and make it harder to detect. Other techniques include polymorphism, which involves creating variations of the malware to evade signature-based detection, and sandbox evasion, which involves detecting when the malware is being run in a virtual environment and avoiding any malicious activity that could be detected by the antivirus software.

This case study introduces some AVE (AntiVirus Evasion) techniques.

Using obfuscated builds

The simplest way to evade AV detection is to use obfuscated build. For instance, WinPEAS has an obfuscated version that can be found here: https://github.com/carlospolop/PEASS-ng/releases/tag/20230402, winPEASx64_ofs.exe

Obfuscate a tool by yourself

nimcrypt is a linux based tool that can be used to obfuscate binaries: https://github.com/icyguider/Nimcrypt2 It takes a bit time to setup the tool, but once it’s setup, it’s relatively straightforward to use.

Let’s take a tool called certify as an example https://github.com/GhostPack/Certify This tool is often picked up by AV during execution.

Note the obfuscated tools may often fail on sleep check, my method to get around it is to comment out the following line in the nimcrypt.nim file and then re-build the nimcrypt binary

# line 468
if not sleepAndCheck():
    echo "[-] Sleep did not pass the check, exiting"
    # quit()

To obfuscate a binary

> ./nimcrypt -f Certify.exe -t csharp -u -e -o NimCertify.exe

Then, NimCertify.exe can evade AV detection is most cases.