Evading Antivirus Software Detection Using Python and PowerShell Obfuscation Framework

Avoiding antivirus detection in penetration testing activities is tricky. The simplest, most effective, and most efﬁcient way is to disguise malicious code. However, the obfuscation process will also be very complex and time-consuming if done manually. To solve this problem, many tools or frameworks on the internet can automate the obfuscation process, but how effective are obfuscation tools to avoid antivirus detection are. This study aimed to provide an overview of the effectiveness of the obfus-cation framework in avoiding antivirus detection. This study used experimental design to test and determine the effectiveness of the payload obfuscation process. The ﬁrst step was generating Python and PowerShell payloads, followed by the obfuscation process. The results showed that by using the right method of obfuscation, malware could become completely undetectable. The automatic obfus-cation process also did not deteriorate the malware’s function. It was proven that the malware could run and open a connection on the server. These ﬁndings required more Python obfuscator techniques to determine the effectiveness of the obfuscated payload on the target machines using both static and dynamic analysis


INTRODUCTION
In the world of software development, obfuscation is an action that aims to make an application source code difficult to understand for humans [1]. Initially, obfuscation techniques were used to protect the intellectual property rights of an application and prevent outsiders from doing reverse engineering [2].
Nevertheless, in its development, the obfuscation technique is also very effective in avoiding antivirus detection [3]. The growing attacks of fileless malware that do not exist in the file system indicate that the attackers have used the technology developed by the vendors to find their own security vulnerabilities, such as the PowerShell script provided by Microsoft [4,5]. PowerShell script has been used to exploit hidden information on images by embedding malicious commands using techniques such as invoke-PSImage [6]. Script-based obfuscation techniques are also used to target IoT devices. This threat arises due to IoT devices' lower security level than server security, making them more vulnerable and easily accessible to attackers [7].
Meanwhile, to detect malware, antivirus uses three types of methods, namely signature-based, behavior-based, and heuristicbased techniques [8]. To avoid detection by some of the methods implemented by antivirus, the most effective way is to create our own malware. However, this method is quite complex and potentially time-consuming. The simplest way to prevent malicious code from being detected by antivirus is to use the obfuscation technique.
Along with the development of information technology, obfuscation of malicious code is quite easy to perform. Many opensource penetration testing frameworks can be downloaded for free and have functions to automate obfuscation techniques [9]. Although there are various tools for malware detection, memory forensic tools, packet analysis tools, and reverse engineering and debugging tools available online and in apps that can be used to perform a comprehensive malware detection technique [10]. This paper describes how to automatically obfuscate through the obfuscation framework on malicious code written through the scripting/interpreter language such as Python and PowerShell. In addition, this paper also aims to provide an overview of the effectiveness of the obfuscation framework in avoiding antivirus detection.
Python has a simple structure yet powerful functions to develop malware, such as backdoor malware. A previous study proposed a Python backdoor detection model that could detect obfuscated malware samples represented by its statistical text features and opcode sequence. The result provides 97.7% detection accuracy using the Random Forest classifier [11]. The security challenges in the Android ecosystem are also growing despite the introduction of advanced anti-malware tools [12].
Audit and evaluation of the existing Anti Malware Solutions (AMTs) due to the rising sophistication of Android malware evasion techniques are needed [13]. The research analyzes various evasion techniques and compares the efficacy of current antimalware tools against them. Additionally, the paper proposes a more sophisticated evasion technique that successfully evades all known anti-malware solutions. The suggested technique involves exhaustive obfuscation and remote code execution, highlighting the importance of enhancing the resilience and effectiveness of AMTs for improved malware detection and prevention.
The evaluation of the effectiveness of antivirus evasion tools such as Avet, Veil 3.0, PeCloak.py, Shellter, and Fat Rat on the Windows platform has been reported in the previous study [14]. The research aims to test the capabilities of these tools in generating malware that goes undetected by the best antivirus solutions available. The study was conducted in a virtual lab setup using VMware Oracle VirtualBox, and the results showed software evasion rates ranging from 0% to 83%. Avet and PeCloak.py were found to be the best AV evasion tools, while Kaspersky and Bitdefender emerged as the top-performing antivirus software in detecting malware evasion techniques.
The previous study explores popular techniques and tools used to bypass antivirus programs. It highlights that while most antivirus programs can detect them individually, combining evasion techniques in complex attack chains can bypass modern and commonly-used antivirus software [3]. The technique used to avoid antivirus detection is to change the source code of the executable template [15]. Changes in the source code allow the shellcode to be generated separately so that the shellcode does not touch the hard disk and runs in memory. This technique drastically changes the signature of the source code. Another study describes an open-source penetration testing framework that bypasses antivirus detection. Some of the tools described in the research are Avet, Veil 3.0, The Fat Rat, PeCloak.py, Phantom-Evasion, Shellter, Unicorn, and Hercules [16].
Research on evasion techniques using code obfuscation has been carried out in these several papers. These studies obfuscate the binary executable payload and are carried out manually. A previous study discusses antivirus evasion techniques that are carried out automatically using a penetration testing framework, but in general, the generated payload is also binary executable. The current research is slightly different because it implements obfuscation techniques on script-based malware and is carried out automatically.

RESEARCH METHOD
This study used an experimental design where the simulation was conducted in a virtual machine to preserve a safe environment. Researchers tested two types of payloads written in the Python and PowerShell programming languages. As seen in Figure 1, the research is started by conducting two stages of testing to determine the effectiveness of the payload obfuscation process. In the first stage, researchers analyzed the original payload and obfuscated payload using the VirusTotal website. This stage aims to determine the level of evasion between the original payload and the obfuscated payload. In the second stage, execute the obfuscated payload on the Windows and Linux-based target machine. This stage aims to determine whether the obfuscated payload can be run to support the testing process. There are several software and tools used to conduct the simulation. The virtual machine is used to set up the virtual lab environment. The framework used in this study was Metasploit, a project that provides comprehensive information about security vulnerabilities [17,18]. It is a valuable tool for conducting penetration testing and aiding in developing Intrusion Detection Systems (IDS) [19]. It can be obtained from its GitHub repository. To Python, Onelinepy obfuscator generates one-liners and FUD (Fully Undetectable) payloads. For the Windows operating system, this study used Invoke-Obfuscation. Security researcher Daniel Bohannon developed the Powershell command and script obfuscator at Mandiant. Lastly, the target Operating System used for this experiment is Kali Linux, Ubuntu, and Windows 10 to test the obfuscated payload. The first step is to generate Python and PowerShell payload, followed by an obfuscation process on the payload. The tools used to generate the two payloads are the Metasploit Framework, while the payload obfuscation process uses Onelinepy and Invoke-Obfuscation.

RESULT AND ANALYSIS 3.1. Test Result Using the VirusTotal Website
The use of the VirusTotal platform in this study aims to determine the level of evasion of the obfuscated payload. VirusTotal is a web-based application that analyzes suspicious files to detect malware [10] and can inspect files using more than 70 antivirus software with the most updated signature database. VirusTotal has been advocated in many security studies compared to desktop antivirus due to its capabilities [20].
Based on the analysis of VirusTotal on obfuscated Python and PowerShell payload, it is known that the obfuscation process through the obfuscator tools, namely Onelinepy and Invoke-Obfuscation, is effective in bypassing antivirus detection. Obfuscation through the onlinepy tool, the backdoor file becomes Fully Undetectable (FUD). Meanwhile, obfuscation through the Invoke-Obfuscation tool, PowerShell payload becomes 98% FUD. Of the 57 antivirus software, only one managed to detect. The following is a comparison of the results of the VirusTotal analysis. The Python payload that has not gone through the obfuscation process is detected by 16 antivirus software. Some antivirus specifically mentions that the file is a backdoor generated by the Metasploit Framework ( Figure 6

Obfuscated Payload Functionality Test Result
After conducting the obfuscated process, the author tested the obfuscated payload on two operating systems, namely Linux Ubuntu 22.04 for Python payload and Windows 10 for PowerShell. After executing on these two operating systems, the payload was executed successfully and opened a reverse TCP connection. Figure 10 describes how the obfuscated Python payload is executed on Ubuntu 22.04. The Obfuscated Python payload was executed successfully, and a Meterpreter session Figure 11 opened. After running on Windows 10, the PowerShell payload successfully opened a reverse TCP connection Figure 12. The obfuscated malware can also execute C&C commands on the target computer. The results of this study indicate that the level of evasion achieved through the utilization of the Python obfuscation framework and PowerShell is consistent with previous studies [12,16,17,4]. The obfuscated Python payload could successfully bypass the Bitdefender antivirus. However, the obfuscated PowerShell payload was still heavily detected by antivirus software [16,21], whereas the invoke-obfuscation employed in this study showed significant success in bypassing antivirus detection. It is important to acknowledge that the antivirus detection method used in this study is static analysis. Static analysis is preferable to test the effectiveness of obfuscated malware without requiring a heavy payload, as in the dynamic methods. This method involves analyzing the code based on specific patterns and characteristics without the actual execution of the malware. The VirusTotal used for malware detection in this study does not count for cloud-based detection.
This research provides an understanding of how to enhance the evasion capability of modified script-based malware running on Windows and Linux operating systems, allowing it to bypass signature-based antivirus detection. Additionally, it provides recommendations on obfuscation frameworks that penetration testers can use to assess the security level of a system.

CONCLUSION
Based on the test results in this study, code obfuscation that is carried out automatically through the obfuscator tool can make script-based malware undetectable by antiviruses. By using the right method in the obfuscation process, malware can become fully undetectable. The automatic obfuscation process also does not damage the malware's functionality, and it is proven that the malware can run and open a connection to the server. Future research may focus on various detection methods, such as behavioral analysis and dynamic detection, to enhance the effectiveness in identifying script-based malware and its performance to evade detection through obfuscation. 5.