ESET detecting latest version of ScareCrow

[Simon-Davies]

The latest version of ScareCrow is detected by ESET. I git cloned the repo today to test. See below:

[Tylous]

Are you using staged or stageless shellcode?

[Simon-Davies]

I created a binary payload out of the Mythic agent Apollo using the apollo.bin shellcode

[Tylous]

Right but are you using staged or stageless shell?

[Simon-Davies]

As far as I am aware it is stageless. See below:

https://github.com/MythicAgents/Apollo

When creating the payload in Mythic, there is no option to choose staged or stageless like there is with Cobalt Strike.

ESET are the best AV at detecting Red Team tooling, they create a signature on everything fast.

[Tylous]

So a couple of things first. this says nothing about if it's staged or not. That being said, Rozena based alerts are related to "attempt to download several files from the Internet. The files are then executed" This usually gives me the inclination that it is staged. Second It's hard for me to tell what you've done if this is a shellcode thing or the loader due to the lack of information provided. I myself haven't had issues against ESET. Third (and I've mentioned this before) I would never upload my loaders to those scanning sites for opsec concerns. Id need more data to be able to assist.

[Simon-Davies]

I uploaded to a Non-Distributing scanner that you pay for with Bitcoin.

This scanner doesn't cause detections as I have tested payloads and tested months later and they have still been undetected.

You can also test with the free Non-Distributing scanner: antiscan.me

I have created an issue regarding the creation of a stageless payload:

https://github.com/MythicAgents/Apollo/issues/102

The response:

"All Apollo payloads are stageless, if by stageless you mean having the full agent being delivered to target. There is no notion of stage 0, 1, 2, etc. unless you impose it yourself with creating a 'thin' agent with only the load command."

So my payload was stageless as I included all commands.

I just tested .dll payloads and they are also flagged with the same detection that .exe payloads are.

Can we talk via another means? I have an idea that might bypass this ESET detection, a technique from the CIA (Vault 7) which I used before and it worked well against ESET.

I just messaged you on LinkedIn

[Tylous]

Closing due to discussion offline

[ad0nis]

FWIW, I had a Scarecrow'd stageless Cobalt Strike beacon detected by ESET as Rozenga last week as well.

[nocomp]

The sent file was detected as: Gen:Trojan.ScareCrow.Gen.1 hi folks how remove some signature for bypass static analysis ?

[Vyiel]

'd stageless Cobalt Strike

Same for some other vendors