White Hat Institute

Shellter - Creating an undetectable backdoor

Shellter is equipped for re-encoding any local 32-bit independent Windows application. Since we are endeavoring to stay away from anti-virus detection, we need to abstain from whatever may look suspicious to anti-virus programming, for example, stuffed applications or applications that have more than one area containing executable code. 

Shellter is designed for taking any of these 32-bit Windows applications and installing shellcode, either your custom payload or one accessible from such apps as Metasploit, in a way that is all the time hidden by anti-virus programming. Since you can utilize any 32-bit application, you can make just about a vast number of signatures, making it almost unimaginable for anti-virus programming to distinguish.

To use shellter, we need to download it from the following website: https://www.shellterproject.com/download/.”

Shellter

Once you downloaded the tool extract it and move to the “/opt” directory, this part is optional.

Ex: ([email protected]:~/Downloads# mv shellter /opt/).

Shellter 2

Next, we need to download any legitimate windows executable application so we can use it with shellter to bind our backdoor to it. For this example, we are going to use “Winrar.exe.”

Shellter 3

After the download, move the “Winrar.exe” file into the shellter directory.

Ex: ([email protected]:~/Downloads# mv Winrar.exe /opt/shellter/).

Now it is time to start this tool using the “wine” command.

Ex: ([email protected]:/opt/shellter# wine shellter.exe).

Shellter 4

At the startup, you’ll be presented with a welcome screen and prompt to choose an operation mode. Select “A” for auto mode and press “Enter.” Next, it’ll ask you to specify the “PE Target:” name, which is the name of the application you want to bind the backdoor. Here we are going to use “Winrar.exe.”

Shellter 5

When the initial process is complete, the shellter will ask you whether you want to enable a stealth mode or not. Contingent upon the circumstance, you may want to allow it, but in this example, we’ll say “N” and continue for payload selection.

Shellter 6

Next, it’ll ask you whether you want to use a listed payload or a custom one. Type “L” to use from the listed payloads, and then select one by their index number. You can choose a payload of your choice. In our case, we have selected option “1” for “Meterpreter_Reverse_TCP.”

Shellter 7

Lastly, provide the “LHOST” IP address for the attacker machine and the “LPORT” number on which you want to listen for incoming connections, and then press “Enter” to finish the whole process and start the listener.

Shellter 8

By default, the shellter will start the multi-handler automatically for you and wait for an incoming connection.

Shellter 9

Let’s test our infected “Winrar.exe” application on the target computer. First, we need to move this file to our web server so we can deliver it to the target computer efficiently.

Ex: ([email protected]:/opt/shellter# mv Winrar.exe /var/www/html/Evil-Files/).

Shellter 10
Shellter 11

Once it’s downloaded and run, it’ll start the standard WinRAR installation process, but in the background, it’ll execute our malicious backdoor and send us a reverse shell connection. As you can see, we managed to receive an active session, so we can interact with it and exploit it further.

Shellter 12

Penetration testers on red teams often add tools to their toolkits that borrow techniques from malicious software. Shellter is an example of such a method. It was influenced by the EPO (entry point obscuring) and polymorphic file-infector viruses, became popular as a tool for pen testers, and then resurfaced as a tool for cybercriminals.

Shellter is a dangerous tool in the hands of attackers, despite the fact that it was not designed for malicious purposes. Its success in avoiding detection by antivirus programs makes it a dangerous tool in the hands of attackers. CrowdStrike solutions, on the other hand, are able to identify and prevent such threats thanks to ongoing research like this, combined with a strong next-generation antivirus.