Recently when researching different tactics threat actors use to bypass AV (Anti-Virus) engines I discovered this very simple yet effective “bypass”.
After learning how to build a relatively basic C++ ransomware I was wondering which techniques are likely to succeed in bypassing anti viruses.
After building out tools like the usual XOR string encoders, dynamic API allocation at runtime and sandbox detection etc for the ransomware … I was wondering if there is a way to completely get around anti virus engines noticing that the users files are being encrypted.
The issue with bypassing AVs with ransomware is that even if you get around static detection, or even dynamic detection for a while, a decent AV or EDR solution should always spot that the users files are being encrypted and renamed at light speed. While many AV Engines that I have tested crumble alone with simple XOR encoding and dynamic API calls, many are decent enough to catch them encrypting files at runtime, or even when AP.
Bypassing Defender
To successfully bypass Defender and other AVs I discovered a technique that completely evades modern engines.
It exploits safemode to do this.
What is safemode?
Safemode is a diagnostic tool that only loads critical drivers and services that run Windows. It is normally used to help troubleshoot issues by running the system with minimal functionality, in an attempt to make it easier to troubleshoot problems with software, drivers or, ironically, even malware.
With safemode in its most minimal of configurations Microsoft Defender or similar AVs/EDRs will not run.
With this idea I was set on making a packer that could exploit this vulnerability.
Custom Packer
This packer that exploits safemode is mostly like any other, it encrypts the executable file until detonation. However where this one differs is in its stages and how it unpacks, as well how it uses safemode.
Upon detonating it elevates itself to admin before saving itself to C:\Windows\System32\smploader.exe, it sets itself to execute at user logon with a Userinit registry key, as well as registering it as a service that runs in safemode.
It then checks to see if the machine is in safemode using different environment variables and registry keys, both at initial runtime and after reboot.
If it is not in safemode it attempts to restart into minimal safemode and sets the smploader.exe to run once with the –safemode parameter.
It has protections so that it isnt in a perma boot-loop.
To attempt to look realistic it uses the winAPI “InitiateSystemShutdownExA” with a custom message:
From there it reboots into minimal safemode, it then automatically launches (in this case) from C:\Windows\System32\smploader.exe –safemode.
It then verifies that it is in safemode before unpacking.
From there it can basically do anything, as there is no AV/EDR, and you do not even need UAC permission to execute binaries as admin.
Application for Ransomware/Malware
With this being said, this bypass is pretty perfect for ransomware, as there is no threat of AV’s being able to stop it once it has been unpacked in safemode. With even Microsoft Defender implementing “Controlled folder access” it is getting harder to successfully execute ransomware, with this bypass as long as the packer is properly obfuscated and it is not detected before it reboots into safemode, then the ransomware payload has a 100% chance of working with Windows systems supporting safemode.
There are some small caveats:
- You need to elevate to admin after runtime
- For a “real” threat actor’s ransomware you would need to get the private and public keys for encryption/decryption before unpacking in safemode
- And for other types of malware (infostealers for example) that need internet access, you would need to have your internet enabled features either before or after entering minimal safemode
These caveats are quite minor in my opinion, especially for infostealers, as after unpacking you could easily write exclusions for your binaries in safemode, gather credentials, then when rebooting into windows normally you could easily exfiltrate credentials. For ransomware it is a bit more complicated with the encryption and decryption keys, but it is still very doable.
Showcase
This is a showcase of the bypass working, it is in a time lapse in parts as I have implemented extremely long sleeps between stages of its execution:
Real World Testing
To verify how effective this AV bypass is, I tested it with many of the top anti-virus engines. This could be seen as a real world AV review with decently capable fresh malware, depending on the quality of my programing :p
Tests
Here is how I’ve tested and what I mean by “success” or “fail”:
Bypass Rate:
success = ransomware was able to run (and actually ransom files)
fail = ransomware was not able to run (it was blocked)
Additionally all fails (apart from Zone Alarm and Kaspersky) were at runtime. All AV engines were set to their maximum levels of protection. In case anyone is wondering, I haven’t tested AVs like ClamAV or Malwarebytes free, as they are not good at, or can’t, detect malware at runtime.
| Antivirus | QuagRanObfuscated | QuagRanObfuscatedBasicPacked | QuagRanObfuscatedSafemodePacked |
| Microsoft Defender | success | fail | success |
| Bitdefender Free | fail | fail | fail |
| Kaspersky Free | fail | fail | fail |
| Avast/AVG Free | success | fail | fail |
| Sophos Home Free | fail | fail | success |
| ESET NOD32 Free | fail | fail | success |
| Zone Alarm Free | success | success | fail |
| Panda AV Free | success | success | success |
| Tencent PC Manager | success | success | success |
| Trend Micro: Max Sec | fail | fail | fail |
| Avira Free | fail | fail | fail |
I’ve tried not to cherry pick AV vendors, and I feel like this is a pretty fair list when looking at their performance, although I myself have not heard of a couple of them.
Tencent PC Manager was a funny experience, it has an insane amount of bloat, trying to translate the Chinese to English was fun. I’ve included it as China is a big market, although I have no idea how popular this AV suite is.
Like many AVs I’ve tested, it detected the basic samples after a while… but by that point the ransomware had already encrypted so many user files and .sys files/internals, I’ve counted it as a fail.
Tragically in the safemode packer test the “Tencent PC Manager” tries to block the bcdedit safemode modifier commands, but fails and it boots into safemode anyway, becoming victim to the post safemode ransoming of files.
Hilariously the Tencent bloat actually runs in safemode, which is bonkers as basically every western AV/EDR does not work in minimal safemode because it goes against the whole point of minimal safemode… perhaps it is worse than the ransomware…
Even though the AV process(es?) are inappropriately running in safemode, they didn’t actually stop the ransoming of files. At this point I am wondering if the Tencent Devs making this run in safemode was deliberate or just sloppy programing (obviously deliberate given the necessary adding of processes to run in safemode, but still, I wonder if there was a somewhat plausible reason.)
Pictures of AVs VS Ransomware
Sophos Home Free
ESET NOD32
Conclusion
Microsoft should make it harder to simply use bcdedit to modify configurations and boot into safemode, and AV/EDR vendors need to have their heuristics blacklist and pickup on binaries exploiting safemode more often.
I find it particularly strange that any unsigned program can use these safemode modifier bcdedit commands, as my ransomware samples were unsigned. Surely Microsoft should restrict these commands to at least signed programs, or ideally only allow signed programs from either Microsoft verified troubleshooting publishers or Microsoft themselves.
I would ordinarily share my code for this, but given the topic I will not share my ransomware, packer, or automatic C++ obfuscator code, even though it is unlikely that anyone would want it in the first place 😉
— TTA