Sunday evening, you are preparing an email message for several company employees. Everything is polished, and the message is clear and convincing. The email includes a link to a server hosting malware that aligns perfectly with the company profile. The phishing campaign is about to begin. Before it does, you check everything again and say to yourself, "Perfect." Just after that, you run the program that sends your phishing emails. The next day, around 8:30 – 9:00, you check the logs and see that 3/4 of the targeted employees have downloaded the hosted malware, so probably at least half of them ran it. It's time to check the C2 (Command and Control server) for any beacons, but for some reason, there are none. What happened, you wonder? Thoughts start to appear. Was my malware detected by AV software? You open your browser, enter VirusTotal, and upload the file. After the analysis, you already know why no session was established. Your malware stood out more than Christmas lights. 'Mission failed,' unfortunately...

If you have ever checked C2 executables, you know that most AV software has prepared signatures and can easily detect them both statically and behaviorally. In this article, I will present my list of several levels of advancement in creating malware, which is important for red teamers and pentesters to develop undetectable tools. I will generally show which techniques can reduce the detection rate. Preparing environment In this article, I will show scan results using VirusTotal, but for your own research, it’s best to have your own environment to scan your samples. Some people say it is safe to upload your samples there, while others say it's like shooting yourself in the foot. It’s important to note that VirusTotal and other services could analyze your software and prepare signatures that will expose your operation and techniques. My suggestion is to avoid taking that risk.

To prepare a test environment, a Windows 10/11 virtual machine will be needed. After installing and updating it, it’s best to make a clean copy of that image to quickly prepare other VMs. Now we need to install AVs. According to my research, we can install the following AVs for free or in trial versions:
• AVAST
• ESET
• Malwarebytes
• Bitdefender
• McAfee
• Sophos
• Kaspersky
• Windows Defender (obviously :)

It is best to have a separate VM for each of these antivirus software. Additionally, the VM should be restricted to the host network only, so the AVs won’t send any samples to the cloud. With this setup, we will be able to send our malware and receive sessions and beacons from these machines if our malware successfully bypasses security solutions.

Now that we have prepared our environment, it is time to focus on the malware. In this post, I will mainly show you the results of each technique on VirusTotal (because of the number of AVs operating there). The advancement of malware has been divided into several sections: beginner, pentester, adversary, and Pro.
Beginner This type of "malware developer" focuses mostly on using already published solutions like known C2 (Metasploit, Sliver, Havoc, etc.) without any modification. Eventually, they may add some built-in encoders like shikata_ga_nai or any other publicly available ones. Sending this payload to VirusTotal resulted in below detection rate: Additionally, msfvenom payload with shikata_ga_nai encoding was uploaded: As you can see, both scans resulted in a high detection rate. Since many of us rely on pre-built solutions, being able to establish sessions, deploy beacons, or execute malicious files like Mimikatz without detection becomes a crucial skill. Pentester A level above that is the pentester. This type of developer knows some basic injection techniques that allow them to bypass certain security solutions. Some of these techniques include: • Thread Hijacking• APC Injection• Mapping Injection Additionally, to reduce detection rate, XOR encryption was used. So now let's test this techniques against popular AV programs.
We will start with APC Injection, for which detection rate is shown below: We will also check next technique which is a Local Mapping Injection: As we’ve seen, detectability has been reduced by half, which provides a significant advantage. However, malware development doesn’t stop there. There are many techniques and improvements that can still be implemented.
Adversary The next set of techniques is more advanced, so we move to the adversary level. At this stage, we see a higher level of sophistication. Instead of using "high-level" functions, the malware creator can utilize Syscalls (direct or indirect). It’s best to illustrate this with a picture (source: https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/): The above image illustrates the process of using the OpenProcess() function. Instead of using OpenProcess(), an attacker can use the NtOpenProcess() syscall, which can help reduce detectability because antivirus systems may not have the capability to scan low-level functions. Syscalls are divided into:

• Direct: these originate directly from the malware itself, bypassing the standard API calls provided by the operating system. While easier to implement than indirect syscalls, they can still be effective in evading detection because they bypass the standard API monitoring mechanisms.
• Indirect: in this case, instead of directly calling the syscall, the malware uses techniques like jumping to a specific memory address where the syscall is located within the ntdll.dll library. This method can make the malicious activity appear more legitimate since it's using standard library functions, potentially helping to evade detection.

By using Syscalls standard techniques can be enhanced to be stealthier!
Below is an implementation of APC injection Syscalls using SysWhispers (https://github.com/jthuraisamy/SysWhispers), which executes direct syscalls: Still, 22/74 it is pretty high score but there are other direct syscall techniques like HellsGate. I recommend reading below to enhance your skills: • HellsGate Github• HellsGate Paper Be aware that I did not make any changes in these programs which could reduce detection rate. Next scanned file use HellsGate direct syscall technique: Wow! 9/70 is quite a good score - not perfect, but still good! By adding additional security measures like anti-debugging and anti-VM techniques, obfuscations, hiding used Windows APIs, and much more, we can delve even deeper!
Pro The final stage of is Pro level. A deep understanding of targeted systems, the use of advanced techniques allowing for the manipulation of processes and the system itself to execute payloads in an undetectable manner, which won't even be flagged by EDRs, is crucial. Sending such finely crafted payloads to external systems isn't a sensible idea. Honestly, it's best to limit detectability testing to your own environment, as described at the beginning.

Some examples of techniques that can be used by advanced malware developer includes:
• String Hashing – self explaining ;)
• IAT Hiding by using custom GetProcAddress and GetModuleHandle – Import Address Table (IAT) is a place in which binary tells which functions are imported. This can be used to detect if program could be malicious. Using custom GetProcAddress & GetModuleHandle can hide used WinAPIs
• API Hashing – Using custom hashing technique like djb2 combined with custom GetProcAddress & GetModuleHandle will hide libraries in IAT
• CRT Library Removal – CRT (Microsoft C Run-Time Library) is a library that contains many functions like malloc, strcpy, printf etc. removing it from a build and replacing these functions with custom once can reduce detection rate
• Signing malware with certificate – using code signing certificate as above-mentioned techniques help reducing detection rate. One of less ethical (even illegal) maneuver is using leaked certificate. Known certificate are highly trusted can even hide minimally edited C2 payloads.
• Using sophisticated injection techniques – Process Hollowing, Ghost Process Injection, Herpaderping Process Injection. I recommend reading about these techniques because there is a lot of explaining ;)

Alright, as a bonus, I'll show you what really refined malware can do with some of mentioned techniques! In the prepared malware, I’m loading a modified Sliver beacon (https://github.com/BishopFox/sliver). The loader itself incorporates many techniques, resulting in bypassing ESET antivirus: Phenomenally! As you can see, proper malware preparation can bypass advanced antivirus software. Of course this is just an example, different antivirus will need different techniques so if you want to be in Pro group, you will need to experiment.

In the case of being the target of an APT group or a skilled hacker, we can only hope that the attacker makes a mistake that leads to detection. Therefore, it's crucial to be careful about what runs on both personal and company devices, as it can lead to dire consequences. Also this highlights the need of cybersecurity trainings, which will allow employees to detect suspicious e-mails or files and report them to security teams.