Skip to main content

Introducing... meh, a random "malware" generation tool

·3 mins

Intro #

Meh (‘Moderate Efficiency Helper’) is a tool I started recently that combines a bunch of things I love, all into one. In short, meh helps randomly generate and compile binaries that can help get malicious payloads, and tools, past detection systems.

The current list of things I love that this tool is helping cover:

  1. RCE via Malware / Droppers, that fire off shells and tools
  2. Fighting against, and bypassing, detection systems (anti-virus, etc)
  3. Random (seeded) generation (Have a different result everytime, but can replicate by tracking and re-using seeds)
  4. Interactive and one-shot CLI tools
  5. Golang based (we like speedy threads and multi-platform)
  6. Trying to continue support and usage of older methods and tools that have been sig’d over and over and over

Current State #

Right now, meh works as an interactive CLI tool that allows the user to randomly generate a Go based ‘dropper’, that selects a few bypasses (from a small library) to attempt to help in dropping and executing malicious tools on a target system.

At this time, I am not on a team that would find this useful (I’m in appsec/devsecops, lol) but the plan I have for this tool is to (hopefully) use as a proof of concept to help prove that I do (sort of) know what I’m doing, and it might be of use to companies that do red team engagements, need to bypass mechanisms, perform malware research, etc. Currently it’s just a bit of fun as well as a nice challenge for my down time.

It’s in a ‘working’ condition with limited functionality. Here’s a little sneak peak of it running (with sort-of noisey output):

meh, Interactive
meh, interactive mode

meh, Oneshot
meh, oneshot mode

As seen above, the current state is:

  • Tool can be run in interactive mode (screenshot one), or one-shot mode (screenshot two)
  • User generates or provides a seed
  • A Go based ‘dropper’ is generated at runtime by randomly selecting and combining snippets
    • In this case, 2 bypasses were selected - a sleep and an anti-debugger check
  • Lightly obfuscated before ‘baking’
  • Compiled by the CLI tool
  • Binary is spat out for the user, ready to run (right now, this is just OSX binaries, but support for multi-platform is on the list; Windows being a key target of course)

Right now, it doesn’t do anything offensive, but it’s cool to see it generate something that, that automatically compiles from ’nothing’. The generated binaries run with no issues too!

Next Steps #

The next steps include:

  • set up a priority system for bypasses, should something run before trying the next?
  • prevent multiple bypasses of the same nature are selected (for example, 5 sleeps might be pointless)
  • extend the library of bypasses that can be selected at runtime
  • implement different methods of executing shellcode (first goal for ‘malicious’ activity)
  • make sure the generated binaries are all cross platform and the same results are achieved across windows and linux, at minimum
  • add an option for obfuscating the generated source code to hopefully help hide intent more

Stretch Goal #

The ultimate goal. Create a pipeline in the homelab that will do the above (automatically and continuously), have a custom API track and serve the newly generated binaries to a selection of VM’s in my lab (Windows machines, with various detection/protection mechanisms) and the API will help track and report binaries that were successful and not caught.

If the above works, I can just focus on building out templates and code for the random generation to use to further reduce the chances of solutions coming out the same.

Fake News, No Source - soz #

Due to the nature of the tool, this will likely stay closed source… but if anyone is interested to discuss further I’m always up for a chat about writing better code, tools and helping overs learn (if I can!)