Issue with BitDefender Partial Detection of r77 and Loss of Persistence

[Ogyeet10]

Description: Hey, bytecode77

I've been conducting a series of tests on the r77 rootkit across various antivirus platforms, and most recently, I focused on BitDefender. The procedure involved initially disabling the antivirus, installing r77, and then reactivating the antivirus for detection analysis. Notably, Windows Security did not identify any anomalies, but BitDefender presented a different outcome.

BitDefender's Response:

BitDefender did not recognize the hollowed-out r77 process itself. However, it flagged the associated task scheduler file. More interestingly, BitDefender began marking nearly every new system process as malicious following the r77 installation. The r77 process was unable to maintain persistence due to BitDefender detecting the task scheduler file and quarantining it, resulting in the rootkit losing persistence and not restarting upon system reset.

Main Questions:

1. Detection Logic: Why does BitDefender classify most injected system processes as malicious? Is it possible that BitDefender is identifying the r77 header injected into process memory as a threat?
2. Preventing False Positives: What can I do to prevent BitDefender from flagging the task scheduler file associated with r77? Why could it be flagging the file?

Additional Context:

I understand that these questions may not directly pertain to an issue with r77 itself. Since I’ve seen a lot of similar questions in the closed issues section I figured I should try and ask in case you would know anything.

Testing Environment:

• Antivirus Used: BitDefender Free
• Platform: Virtual Machine (VM)

I am currently away from my primary workstation and unable to provide the specific flagging details from BitDefender. I will update this issue with the exact categorization by BitDefender when I get home.

[bytecode77]

Windows Defender used to detect the scheduled task files based on a signature of the powershell commandline. But ever since I implemented polymorphism, Microsoft was unable to derive a meaningful signature. And it has been 5 months since the last release., which is funny, especially because it's proclaimed to be the best AV and one of the most widespread, too.

Anyway, the scheduled task file is a cricital point, because deleting it breaks persistence and it's the only file on the disk. I can think of several reasons why it could be detected:

• The filename or full path itself
• A signature within a non-obfuscated part of the powershell arguments
• Or just the sheer length of the arguments
• Repeating patterns of obfuscation within the arguments

You could try to rule these theories out e.g. by renaming the file and test again, or by removing some parts of the powershell argument just to see what exactly offends BitDefender.

Lastly, detecting all injected processes happend with ESET before. I guess it's several signatures on certain strings, section names, etc... I've seen yara rules for r77 online.

Let me know if you figure out what it was ;) I don't do fixes for specific signatures, but I do implement generic solutions, such as the polymorphic AMSI bypass and so on

[Ogyeet10]

Ok i'll work on that in a few days. I want to first finish my install script(setups a reverse shell, disables windows defender using PS so install exe does not get flagged etc.) Feel free to close this issue if you want, ill reopen it once I have more info. PS good job with the r77 process itself it's quite surprising that bitdefender didn't flag it at all. If i can't find a solution i'll just jerry-rig a service that runs the same PS command as the scheduled task to kickstart r77. No idea how i'm going to deal with most possesses getting flagged though...

[bytecode77]

All right. You seem to know what you're doing, so feel free to re-open any time.

By the way, Install.shellcode is basically a RunPE + Install.exe 2-in-1. If you execute this in memory, you can bypass Windows Defender during the installation. You should be able to do this in Powershell, too, have a look at the C# example.

[Ogyeet10]

I've encountered a significant challenge with BitDefender (BD) that affects the operation of admin-level processes injected by r77. During tests in my r77 BD VM, I noticed that several critical applications fail to launch due to BD interventions. For example, BD terminates certain processes that the Windows Settings app depends on(therefore it fails to even appear on screen for a split second). The most frequently flagged process is icacls, but this issue extends to any admin process that has been injected by r77, such as regedit and settings.

Issues Encountered:

• Persistent Notifications: BD continuously generates "your PC is infected" alerts.
• Critical System Failures: Essential system applications like the Settings app are unable to open. This is particularly troubling as it not only affects user experience but also system functionality.
• Admin Process Blockage: All admin-level processes created by the end user are terminated, including those critical for system management and customization.

Given these problems, BD's aggressive detection and termination tactics have rendered the r77 rootkit ineffective. This is because avoiding the injection of admin processes to circumvent BD detection compromises the fundamental capabilities of the rootkit. For example, if regedit (an admin process) isn't injected, a curious user may stumble upon the $77config reg key.

Temporary Measures and Further Investigation:

For the moment, I am considering detecting BD by checking for the existence of its installation directories, and if detected, aborting the installation script. This failure will then be logged to my command and control (C&C) server for further analysis. However, this is far from a perfect solution as it essentially admits defeat against BD's security measures.

Possible Solutions:

• Configuring Non-Injection: While r77 documentation suggests configuring a hardcoded list of non-injected apps at build time, I can't block every admin process using it. (It also defeats the purpose of r77 anyway)

Assistance:

I am not smart enough to look into why BitDefender is flagging all admin processes but my best guess is BD puts more effort into checking admin prosseses as those can do the most damage and therefore finds something related to r77 in the processes memory.

I've paused research into the scheduled task file as this issue is now my main concern.

As you said it's probably getting flagged due to a yara rule (which you don't fix).

PS I'll move to the shellcode installer cause my current solution only works for Windows Defender and select others.

If you have any ideas or potential updates(to r77) that could address these challenges, please share them. I am open to exploring all possible avenues to enhance r77’s resilience against BD (and other AVs).

Do you want me to move this to its own separate issue?

(sorry if I kinda rambled, I wanted to cover a lot)