Computer Security Incident Response Team
Cybersecurity Insights
Mossé Security

A Simple UPX Malware Technique

Introduction

UPX is an executable file compressor. In this blogpost, we share a simple anti-virus (AV) evasion technique based on UPX that works well against AI-based anti-virus software.

UPX is legitimately used to reduce the file size of Portable Executables by around 50%-70%. It is also often used by threat actors to add a layer of obfuscation to their malware. The default version has a "decompress" flag which will retrieve the original code. The technique presented in this blogpost will prevent this feature from working, forcing anti-virus software to use custom unpacking solutions.

The technique involves packing an executable with UPX and then modifying one byte.

Methodology

We decided to use Mimikatz as a test case as it's a leading post-exploitation tool commonly used by penetration testers, Red Teamers and real threat actors.

We start with packing the Mimikatz executable with UPX:

Cyber attack - Using UPX packer to pack mimikatz

We then edit the executable with a hexadecimal editor:

Cyber attack - Using a hexidecimal editor to view UPX packed file

As you can see there is a string “UPX0”. We alter this by one byte to result in “BPX0” which renders the .exe to fail when trying to unpack as shown in the screenshot below. The executable will continue to work fine though.

Cyber attack - Mimikatz fails to unpack with UPX packer

The screenshot shows that Mimikatz continues to work as it should:

Cyber attack - Mimikatz performs as usual

Results

Vanilla Mimikatz:

As of writing this blogpost the detection rate on Virus Total for a vanilla “Mimikatz.exe” was 45 engines:

Cyber attack - Mimikatz results from Virus Total Modified Mimikatz:

In comparison, the version of Mimikatz packed with UPX and then manually edited was only detected by 29 anti-virus software:

Cyber attack - modified version of Mimikatz results from Virus Total

Key Observations:

  • This simple technique proved very effective at defeating AI-based anti-virus software. Of note, Crowdstrike and Cylance failed to detect the modified Mimikatz.
  • After a week later and the detection rate was back up to 43-45. Although, we then changed one byte again to a different letter, for example “CPX0”, the results were back down to 29-32 detections.
  • This technique could easily be augmented with additional AV evasion tradecraft. It's power comes from its simplicy and effect against AI-based anti-virus solutions.

Operational Security Recommendation

Never upload your custom Red Team tools to Virus Total. The files will be downloaded by all the anti-virus companies and kept in perpetuity for retro-hunting purposes.

References:

We initially stumbled across this technique on stackoverflow.

29/09/2020

Mailing List

Register now to receive updates about upcoming cyber security courses by Mossé Cyber Security Institute:

About Us

Mossé Security serves governments, the corporate sector, and security-conscious individuals with world-class cyber security solutions and strategic security consulting. We operate around the world and our head office is located in Melbourne, Australia.

Offensive Services
Defensive Security
Insights
© 2010 - 2022 Copyright Mossé Security