Alaris is a new and sneaky shellcode loader capable of bypassing most EDR systems as of today (02/28/2021). It uses several known TTP’s that help protect the malware and it’s execution flow. Some of these features are:
-
Shellcode Encryption (AES-CBC 256)
-
Direct x86 Syscalls via @Jackson T’s new SyWhispers2
-
Prevents 3rd party (non-Microsoft Signed) DLL’s from hooking or injecting both the parent and child processes.
-
Parent Process ID spoofing
-
Overwrites it’s own shellcode after execution.
To get a full understanding on how Alaris works, see my post here.
As on February 28th, 2021, several changes have been made:
-
You can now easily build Alaris with the Python3
builder.py
tool. -
Moved from SysWhispers to SysWhispers2
-
Key and IV are now dynamic for each build via PBKDF2
The easiest method to build Alaris is with builder.py
. This is a python 3.6+ script that automates the following:
-
Dynamic AES Key, IV generation that’s unique for each build. Uses PBKDF2 to generate.
-
AES Shellcode Encryption and Encoding from a raw binary shellcode file.
-
Auto-Replacement of Shellcode, Key and IV within Alaris source.
-
Auto-Compiling of the Alaris source.
usage: builder.py [-h] -s -p [-o]
optional arguments:
-h, --help show this help message and exit
-s, --shellcode Path to RAW shellcode file
-p, --password Encryption Passphrase
-o, --out Output Path for compiled binary