Chimera v1.0 releases: Automated DLL Sideloading Tool With EDR Evasion Capabilities

DLL Sideloading

Chimera

While DLL sideloading can be used for legitimate purposes, such as loading necessary libraries for a program to function, it can also be used for malicious purposes. Attackers can use DLL sideloading to execute arbitrary code on a target system, often by exploiting vulnerabilities in legitimate applications that are used to load DLLs.

To automate the DLL sideloading process and make it more effective, Chimera created a tool that includes evasion methodologies to bypass EDR/AV products. This tool can automatically encrypt a shellcode via XOR with a random key and create template Images that can be imported into Visual Studio to create a malicious DLL.

Also, Dynamic Syscalls from SysWhispers2 is used and a modified assembly version to evade the pattern that the EDR search for, Random nop sleds are added, and also registers are moved. Furthermore, Early Bird Injection is also used to inject the shellcode in another process which the user can specify with Sandbox Evasion mechanisms like HardDisk check & if the process is being debugged. Finally, a Timing attack is placed in the loader which uses waitable timers to delay the execution of the shellcode.

This tool has been tested and shown to be effective at bypassing EDR/AV products and executing arbitrary code on a target system.

Tool Usage

DLL Sideloading

Chimera is written in python3  and there is no need to install any extra dependencies.

Chimera currently supports two DLL options either Microsoft teams or Microsoft OneDrive.

Someone can create userenv.dll which is a missing DLL from Microsoft Teams and insert it into the specific folder to

%USERPROFILE%/Appdata/local/Microsoft/Teams/current

For Microsoft OneDrive the script uses version DLL which is common because it’s missing from the binary example onedriveupdater.exe

Chimera Usage.

python3 ./chimera.py met.bin chimera_automation notepad.exe onedrive

python3 ./chimera.py met.bin chimera_automation notepad.exe onedrive

Additional Options

  •   [raw payload file] : Path to file containing shellcode
  •   [output path] : Path to output the C template file
  •   [process name] : Name of process to inject shellcode into
  •   [dll_exports] : Specify which DLL Exports you want to use either teams or onedrive
  •   [replace shellcode variable name] : [Optional] Replace shellcode variable name with a unique name
  •   [replace xor encryption name] : [Optional] Replace xor encryption name with a unique name
  •   [replace key variable name] : [Optional] Replace key variable name with a unique name
  •   [replace sleep time via waitable timers] : [Optional] Replace sleep time your own sleep time

Usefull Note

Once the compilation process is complete, a DLL will be generated, which should include either “version.dll” for OneDrive or “userenv.dll” for Microsoft Teams. Next, it is necessary to rename the original DLLs.

For instance, the original “userenv.dll” should be renamed as “tmpB0F7.dll,” while the original “version.dll” should be renamed as “tmp44BC.dll.” Additionally, you have the option to modify the name of the proxy DLL as desired by altering the source code of the DLL exports instead of using the default script names.

Changelog v1.0

Reformatted Structure: The entire program has been restructured for enhanced development ease and future maintainability.
Polymorphic Code Integration: Incorporation of polymorphic code, significantly enhancing evasion capabilities and making the tool more resilient against static analysis.
SysWhispers 3 Integration: Transitioned from SysWhispers 2 to a modified version of SysWhispers 3. This update improves the tool’s ability to evade pattern recognition mechanisms employed by EDR systems, using dynamic syscalls and modified assembly techniques.
AES Encryption: Implemented AES encryption to secure shellcode, adding an additional layer of security and obfuscation.
Early Bird Injection: The tool employs Early Bird Injection techniques, allowing for stealthier code execution within target processes.
Module Stomping: Will be added in the feature also you can implement your own code injection technique in the tool.

Install

Copyright (c) 2023 georgesotiriadis