Closed Ogyeet10 closed 3 months ago
Windows Defender used to detect the scheduled task files based on a signature of the powershell commandline. But ever since I implemented polymorphism, Microsoft was unable to derive a meaningful signature. And it has been 5 months since the last release., which is funny, especially because it's proclaimed to be the best AV and one of the most widespread, too.
Anyway, the scheduled task file is a cricital point, because deleting it breaks persistence and it's the only file on the disk. I can think of several reasons why it could be detected:
You could try to rule these theories out e.g. by renaming the file and test again, or by removing some parts of the powershell argument just to see what exactly offends BitDefender.
Lastly, detecting all injected processes happend with ESET before. I guess it's several signatures on certain strings, section names, etc... I've seen yara rules for r77 online.
Let me know if you figure out what it was ;) I don't do fixes for specific signatures, but I do implement generic solutions, such as the polymorphic AMSI bypass and so on
Ok i'll work on that in a few days. I want to first finish my install script(setups a reverse shell, disables windows defender using PS so install exe does not get flagged etc.) Feel free to close this issue if you want, ill reopen it once I have more info. PS good job with the r77 process itself it's quite surprising that bitdefender didn't flag it at all. If i can't find a solution i'll just jerry-rig a service that runs the same PS command as the scheduled task to kickstart r77. No idea how i'm going to deal with most possesses getting flagged though...
All right. You seem to know what you're doing, so feel free to re-open any time.
By the way, Install.shellcode
is basically a RunPE + Install.exe 2-in-1. If you execute this in memory, you can bypass Windows Defender during the installation. You should be able to do this in Powershell, too, have a look at the C# example.
I've encountered a significant challenge with BitDefender (BD) that affects the operation of admin-level processes injected by r77. During tests in my r77 BD VM, I noticed that several critical applications fail to launch due to BD interventions. For example, BD terminates certain processes that the Windows Settings app depends on(therefore it fails to even appear on screen for a split second). The most frequently flagged process is icacls, but this issue extends to any admin process that has been injected by r77, such as regedit
and settings
.
Issues Encountered:
Given these problems, BD's aggressive detection and termination tactics have rendered the r77 rootkit ineffective. This is because avoiding the injection of admin processes to circumvent BD detection compromises the fundamental capabilities of the rootkit. For example, if regedit
(an admin process) isn't injected, a curious user may stumble upon the $77config
reg key.
Temporary Measures and Further Investigation:
For the moment, I am considering detecting BD by checking for the existence of its installation directories, and if detected, aborting the installation script. This failure will then be logged to my command and control (C&C) server for further analysis. However, this is far from a perfect solution as it essentially admits defeat against BD's security measures.
Possible Solutions:
Assistance:
I am not smart enough to look into why BitDefender is flagging all admin processes but my best guess is BD puts more effort into checking admin prosseses as those can do the most damage and therefore finds something related to r77 in the processes memory.
I've paused research into the scheduled task file as this issue is now my main concern.
As you said it's probably getting flagged due to a yara
rule (which you don't fix).
PS I'll move to the shellcode installer cause my current solution only works for Windows Defender and select others.
If you have any ideas or potential updates(to r77) that could address these challenges, please share them. I am open to exploring all possible avenues to enhance r77’s resilience against BD (and other AVs).
Do you want me to move this to its own separate issue?
(sorry if I kinda rambled, I wanted to cover a lot)
Description: Hey, bytecode77
I've been conducting a series of tests on the r77 rootkit across various antivirus platforms, and most recently, I focused on BitDefender. The procedure involved initially disabling the antivirus, installing r77, and then reactivating the antivirus for detection analysis. Notably, Windows Security did not identify any anomalies, but BitDefender presented a different outcome.
BitDefender's Response:
BitDefender did not recognize the hollowed-out r77 process itself. However, it flagged the associated task scheduler file. More interestingly, BitDefender began marking nearly every new system process as malicious following the r77 installation. The r77 process was unable to maintain persistence due to BitDefender detecting the task scheduler file and quarantining it, resulting in the rootkit losing persistence and not restarting upon system reset.
Main Questions:
Additional Context:
I understand that these questions may not directly pertain to an issue with r77 itself. Since I’ve seen a lot of similar questions in the closed issues section I figured I should try and ask in case you would know anything.
Testing Environment:
I am currently away from my primary workstation and unable to provide the specific flagging details from BitDefender. I will update this issue with the exact categorization by BitDefender when I get home.