Obfuscated Payloads can be undetected even if you have real-time protection

Reading Time: 3 Minutes

Fact: Obfuscated Payloads can be undetected even if you have real-time protection

There is a certain reason why successful attacks still happen every day, even though you use various security solutions in some cases based on AI and different heuristic algorithms.

Experienced Hackers can craft more sophisticated payloads that can bypass any real-time protection no matter what security measures are implemented by any vendor. Whenever such payload is crafted as we will share some techniques known to do so, it will always be ahead of the way it gets handled, until it studies the behavior pattern and blocks it for the next time they get attacked using the same technique. However, that is too late, because the machine is already bypassed and criminals would have done their damage.

See Also: Hacking stories – Operation Troy – How researchers linked the cyberattacks

Going technically on this, the way it’s done is using several sophisticated methods that are implemented on a payload based on the way it gets delivered, the encryption used, and the time or where it is loaded.

It’s kinda vital that we have to encrypt the malware, not cause there’s any real cryptographic need, but just because if we leave a whole copy of our malware hanging around inside our binary which it will still gonna get detected. So instead of going down the AES/RSA route with our encryption (kinda pointless as we want obfuscation through encryption.) Therefore using XOR with multiple layers is one way to encrypt the payload at first. Next comes Parsing it into the Payload by checking magic bytes inside the malware through IAT tables. By doing this, it then gets written to run only on Memory without touching disks, which bypasses a lot of solutions.

See Also: Microsoft urges Exchange admins to patch bug exploited in the wild

Obfuscation can be done using various techniques, including backdooring official .exe files, changing the size making it much bigger so it could bypass the trigger, and finally making the code that contains the payload/malware executes in a timed interval.

That last step is huge when it comes to bypassing better defensive systems. This means if a user gets infected with such payload, it will run normally if it’s bound to another known application, and the trigger could be hours or days after it passes through the sandbox, and other measures would mark it safe to run, until the malware triggers after that time, giving shell to an attacker.

This is an issue that is unique to each piece of malware, and that’s defenders’ ability to detect common behavior of malware and use that to detect and shut down the malware. This is why we still see payloads execute successfully, and that is because of the detection that happens after the malware has been executed, meaning that the only way to bypass it is by changing the actual behavior of the malware.

See Also: OSINT Tool: Osintgram

Security works continuously using a variety of solutions that relies on automated software. Even if we see AI getting integrated using certain algorithms from different vendors consuming budgets on the protection side, we still see Offensive Security being a huge role in the evolution of Cyber Security, because of the skill & the mindset of building sophisticated Payloads in a certain way that can bypass, even the biggest vendors in the market.

Offensive Security is the answer and must be demanded more often, so much that it has to be a part of every company that hires defensive teams, and that is because the Offense is always the best defense.

See Also: Complete Offensive Security & Ethical Hacking Course