Here’s a quick demo of how anti-virus solutions let engineered Linux malware enter a protected system. The solution: build your own tools to test the security of the network and don’t rely solely on automated anti-virus solutions.
A few weeks ago, I embarked on an ambitious project that combined offensive security with a touch of creative engineering. The objective was straightforward yet challenging: to construct a custom reverse TCP (Transmission Control Protocol) payload from scratch using Python, package it into an .elf executable, and assess its stealthiness against contemporary antivirus software. My aim extended beyond mere shell access; I sought comprehensive remote control capabilities, including webcam snapshots, keylogging, screen capture, and file transfer functionalities. This endeavor was driven by a desire to explore, learn, and gain a deeper understanding of both offensive and defensive security concepts through practical experimentation.
For many red teamers and cybersecurity enthusiasts, established tools such as ‘Msfvenom’, ‘Empire’, ‘TheFatRat’, or ‘Veil Evasion Framework’ are the standard choices for obfuscation and payload generation. While these tools are powerful, they often generate significant noise, leading modern next-gen antiviruses and EDR (Endpoint Detection and Response) solutions to flag them almost immediately.
Thus, I opted for a custom approach, motivated by several key factors:
- Signature-based detection avoidance: Custom tools can elude detection mechanisms.
- Complete behavioral control: I could dictate every aspect of the payload’s actions.
- In-depth understanding: Gaining insights into the underlying processes was essential.
- Observation of detection engines: I aimed to study how these engines function in real-time.
Writing the Python scripts
To bring this vision to life, I developed two Python scripts.
The payload (target-side)
This script establishes a connection back to the attacker’s machine, executing commands received from it. It manages everything from command execution, screenshots, and webcam images to file transfers and keystroke logging.
The listener (attacker-side)
This lightweight controller listens on a socket, dispatches commands, and processes incoming data. Both scripts communicated over TCP using JSON messages, with binary data such as images or logs being base64-encoded to ensure safe transmission.
<figure id="attachment93082″ aria-describedby=”caption-attachment-93082″ class=”wp-caption alignnone”><figcaption id="caption-attachment93082″ class=”wp-caption-text”>Figure 2: Keystroke capture code snippet
What could the backdoor do?
Webcam snapshot
Utilizing OpenCV’s ‘cv2.VideoCapture(0)’ interface, I captured a single frame from the target’s webcam. This frame was encoded as a JPEG and transmitted silently back to the listener, without any user interaction or permission dialogues.
Keystroke sniffing
For logging keystrokes, I employed the ‘pynput’ library, enabling the payload to monitor and store all keystrokes discreetly. Logs were only sent when requested by the operator.
Screenshots
Screen capture was achieved using ‘pyautogui.screenshot()’. The image was saved to a buffer, encoded, and transmitted across the network in the same manner as the webcam image.
File upload and download
Basic file transfers were facilitated through base64 encoding. Files could be sent to or retrieved from the target machine using straightforward commands, with additional commands for changing directories or deleting files included for thoroughness.
<figure id="attachment93083″ aria-describedby=”caption-attachment-93083″ class=”wp-caption alignnone”><figcaption id="caption-attachment93083″ class=”wp-caption-text”>Figure 3: Screenshot functionality code snippet
Making it stealthy
Creating a payload is one challenge; ensuring it remains undetectable is another. Once the Python scripts were operational, I utilized ‘PyInstaller’ to convert the target-side script into a standalone .elf binary (ensuring UPX [Ultimate Packer for eXecutables] was installed on my system):
pyinstaller --onefile --clean attackscript.py
This process consolidated everything into a single Linux executable—clean, portable, and ready for deployment. To minimize static detection risks, I implemented several strategies:
- I relocated imports like ‘cv2’, ‘pynput’, and ‘sounddevice’ within the functions that utilized them.
- I renamed potentially suspicious variables and strings.
- I encoded identifiable content using base64 or XOR techniques.
- I employed base64-encoded JSON for all communications to subtly mask the data being transferred.
<figure id="attachment93084″ aria-describedby=”caption-attachment-93084″ class=”wp-caption alignnone”><figcaption id="caption-attachment93084″ class=”wp-caption-text”>Figure 4: Upload and download commands code snippet
The result: Near-total anti-virus evasion
Upon compiling the binary, I submitted it to VirusTotal for evaluation. Out of 64 engines, only four flagged the file. Notably, several well-known and widely deployed antivirus engines failed to detect it. This outcome was not merely surprising; it was concerning. It demonstrated that with custom code, even basic remote access tools can bypass most next-gen antivirus products if they do not exhibit overtly malicious behaviors or utilize recognized exploit frameworks.
<figure id="attachment93085″ aria-describedby=”caption-attachment-93085″ class=”wp-caption alignnone”><figcaption id="caption-attachment93085″ class=”wp-caption-text”>Figure 5: VirusTotal results showing only 4/64 detections
Final thoughts
This project has been one of the most enlightening experiments in my cybersecurity journey. Crafting a custom reverse shell from the ground up has deepened my understanding of malware operations and highlighted the increasing reliance of antivirus solutions on behavioral analysis rather than signature-based detection. It has also reinforced a vital lesson: depending solely on traditional antivirus and EDR solutions is insufficient. For red teamers, penetration testers, or simply curious hackers, developing your own tools is one of the most effective ways to outsmart automated defenses and rigorously test the cybersecurity posture of any organization.
