Disclaimer: The information provided in this article is for informational purposes only. The authors do not encourage or endorse any illegal activities. The authors of this article do not condone or encourage the use of the tool described herein for malicious purposes. Any unauthorized use of Mortar Loader is strictly prohibited and may have serious legal consequences. Readers are responsible for their actions and may be held liable for any damages or legal consequences arising from the misuse of Mortar Loader described in this article.

Introduction

Nothing can be more frustrating than having your carefully developed malicious code caught by a security product. It’s like setting up a complex domino chain only to have it topple halfway through. In this blog post, Red Teamer Lawrence Amer presents his unique gift for the hackers community, through a new version of his tool: Mortar Loader V3. With this tool, the newest defensive measures from antivirus, endpoint detection and response (EDR) tooling, or extended detection and response (XDR) tooling can be evaded.

But why focus on such a tool? For us, it’s about understanding and staying ahead in the everlasting cat-and-mouse game of evading security tooling. By exploring and developing such evasion techniques, we aim to demonstrate that organizations should never solely rely on a single security product such as antivirus (AV) solutions, as attackers will always find new methods to evade these solutions. As KPMG, we show how attackers can and will use evading techniques, such as AV evading by enabling the simulation of real-world cyber threats during red teaming and threat-led penetration testing activities.

So, what exactly does the Mortar Loader do? Mortar Loader is a Portable Executable (PE) shellcode loader that is extensively used within the ethical hacker community to evade detection by security products. PE shellcode loaders work by dynamically loading and executing code at run time, rather than having it statically present in the file. This makes it more challenging for traditional AV solutions to detect and block malicious behavior. This article provides a comprehensive overview of Mortar Loader V3. The tool decrypts the executable image and shellcode inside a memory stream together with procedures and instructions for evasion techniques.

Mortar Loader has been in development for several years. The previous version, Mortar Loader V2, was released in May 2022 and introduced an encrypted shellcode runner and major changes to the functions, performance and function call obfuscation compared to Mortar Loader V1. In this blog post, we explore the upgrades in the latest version of Mortar Loader V3, provide context on how the tool works, and we show how it can be used.

Background

PE and shellcode loaders are designed to bypass traditional security measures by dynamically injecting malicious code into the memory of a target system. This approach differs from normal malicious executables, which embed malicious code directly in the file structure of a program.

Various techniques can be employed for this purpose, including process hollowing, DLL injection, and user-mode hooking. Process hollowing involves embedding malicious code within the address space of an existing process, effectively disguising it within the legitimate process. DLL injection involves loading the malicious code into the address space of a running process as a dynamically linked library (DLL), allowing it to execute within the context of the host process. User-mode hooking involves modifying the behavior of existing system functions by redirecting their execution to the malicious code.

Antivirus solutions face increasing challenges in combating sophisticated attack vectors. This is evidenced by an article shared in 2022 showing threat actors using unpopular programming languages, like Delphi, for malware development. Threat actors are becoming more adaptable and creative in their methods, utilizing compiler variance to further complicate detection. As a result, the compiled executable will have a unique signature even though it has the same overall functionality as the original code. This can be due to compiler-induced optimization, instruction ordering, or symbol table changes, to name a few. These factors all contribute to a malware signature being unique every time it is compiled. This makes traditional AV signature-based detection methods less effective in identifying and blocking the malware.

Mortar Loader use cases

Inspired by this strategy of using unpopular programming languages, Mortar Loader was programmed in Free Pascal in the Lazarus IDE using the Free Pascal Compiler (FPC), orchestrating multiple outstanding attack vectors and techniques combined into a single tool. The loader harnesses the Blowfish algorithm for on-the-fly decryption within the loader memory streams. The latest release leverages several tactics to accomplish its objective effectively evading detection by a range of anti-malware and EDR solutions, including Cortex XDR.

Mortar Loader serves as a Dynamic Link Library (DLL), enabling testers to simulate a wide range of attack vectors, from PE encrypted scenarios to shellcode injection techniques. Its capabilities encompass rundll32 execution, DLL injection, process hijacking, and sideloading, making it a powerful tool for Red Teamers and security researchers:

  • PE Encrypted Scenarios - Mortar Loader can execute encrypted PE files, thereby concealing malicious code from detection.
  • Shellcode Injection - Mortar Loader integrates shellcode injection techniques, enabling testers to inject malicious code into running processes. This capability allows testers to execute arbitrary code without relying on traditional executables.
  • DLL Injection, Hijacking, and Sideloading - Mortar Loader serves as a payload loader and can therefore be used to aid in DLL Injection, Hijacking, and Sideloading. It relies on attackers to inject Mortar Loader into a target process or sideload it into legitimate software packages. Once Mortar Loader is in place, Mortar Loader's evasion and execution capabilities can be utilized to deliver malicious code discreetly.

Mortar Loader’s evolution from v2 to v3

Mortar Loader is, evidenced by over 1200 stars on GitHub and a steady stream of unique monthly visitors, a powerful tool for evading detection. However, this attention inevitably drew scrutiny from antivirus products, leading to increased detection rates for the v2 version.

To address this, Mortar Loader v3 is introduced, containing a suite of enhancements designed to regain its stealth capabilities:

  1. Fileless execution with remote staged encrypted binary or shellcode
  2. Early Bird via Asynchronous Procedure Call (APC) injection
  3. Process masquerading
  4. Named Pipes support
  5. Strings and function calls obfuscation.
  6. Mortar covert reload subroutine
  7. Delay execution techniques

These features are described in detail as follows:

1.      Fileless execution
Mortar Loader v3 supports downloading encrypted binaries or shellcode from a remote source over HTTP/HTTPS, eliminating the need to store the payload locally. Loading the payload locally is still possible for those situations where remote sources cannot be used.

2.      Early Bird APC injection
The loader uses the Win32 API function QueueUserAPC to run the shellcode once the DLL file is attached to a remote process through DLL injection, hijacking or DLL sideloading. The main advantage being that most malicious behavior takes place early in the process initialization, increasing the level of stealth in some AV solutions.

3.      Process masquerading
The created processes from the loader look more legitimate compared to V2, making them more challenging to detect. For example, instead of using cmd.exe for process hollowing or early bird injection, the loader uses the dllhost.exe process and masquerades the process command line to be like a normal windows application.

4.      Named Pipes
The Loader creates a Named Pipe to transfer variable values between the injected DLL and the host system. This allows an adversary to pass the payload value into the loader.

5.      String and function calls obfuscation
The loader hides the Win32 API external calls from the Import Address Table (IAT) and both function names and pascal strings are encoded, making it more challenging for static analysis tools to identify and block the malicious code.

6.      Mortar covert reload subroutine
Mortar Loader v3 introduces a novel technique for persistence, ensuring the malicious payload remains active and operational even if terminated prematurely. This approach utilizes threaded timers to continuously monitor the payload execution status. If the payload is terminated, the attack chain is automatically reloaded, effectively reactivating the malicious code without user intervention. This strategy enables Mortar Loader to maintain persistent execution as long as the parent process remains active, making it a persistent threat to the system.

7.     Delayed execution techniques
To further evade detection by sandboxing or AV emulators, Mortar Loader v3 employs delay execution techniques.

Let's hack

To run Mortar Loader, users must compile the source code themselves. Precompiled binaries are intentionally not released to prevent indexing by public scanners. The compilation process is relatively straightforward when utilizing the Lazarus FPC IDE. The project structure is designed for ease of use, making it accessible even for developers with limited experience.

To use Mortar Loader, first encrypt the payload (for example, a PE, shellcode, or Cobalt Strike payload) using the Encryptor. The screenshot below shows the encryption process. 

blue hat

After payload encryption, it is ready to be loaded onto the target system. One should host the payloads on a remote host or any web server accessible to the system where you intend to deploy the loader. This fileless approach enables the loader to act as a stager, downloading the payload from the remote server and executing it on the target system. The URL of the payload resource should be encoded in base64 to conceal it and protect it from initial detection. This encoded URL will be passed into the loader when it is deployed on the target system.

To evaluate Mortar Loader’s capabilities, we devise the following two scenarios:

PE Hollowing / Run in memory

Mortar Loader V3 allows to pass the value of remote payload URL after the DLL entry point if the payload’s URL value is base64 encoded and the function is executed under the context of a rundll32.exe process.

blue hat hackers

Early Bird

The Early bird technique fails to execute if run under the rundll32.exe context for unknown reasons, as at some point the shellcode is truncated and fails to fully execute. This feature is supported when using DLL injection, hijacking or sideloading, i.e., when the DLL_PROCESS_CONDITION is applicable.

This technique involves the following steps:

  • Injecting the DLL into a remote process (only x64 bit)
  • Passing the payload (in base64 format) into the DLL using Name Pipes, e.g., 'echo {BASE64 URL} > \\.\pipe\moj_ML_ntsvcs'
  •  The injected DLL will receive the payload value from the Named Pipe and then perform an internal call to execute the Early Bird APC injection function

The following screenshot shows a complete bypass while testing Cortex XDR.

blue hat hackers

Future development for Mortar Loader

The ongoing battle between security solutions and threat actors necessitates continuous advancements in AV evasion techniques. Mortar Loader remains under active development, and plans are underway to introduce new features in Version 4. These features include:

  • Assembly Class Runtime.
  • Syscalls instead of win32 API calls.
  • Self-deletion to clear traces.
  • ETW patching.
  • XOR function’s obfuscation.

For the most up-to-date information on Mortar Loader's development and to stay informed about future releases, follow the tool's GitHub page.

Summary

To summarize our overview of Mortar Loader's latest release, it's evident that its new features and enhancements significantly advance ethical hacking and organizational cybersecurity. This version notably excels in evading sophisticated EDR/XDR solutions like Cortex XDR, offering vital insights for both ethical hackers and organizations.

For ethical hackers, Mortar Loader V3 will be an invaluable tool, offering a sophisticated approach to bypass the latest techniques of EDR/XDR solutions. This is crucial for testing and improving the resilience of organizational defenses against realistic attack scenario’s.

Organizations must recognize that no defense is impregnable. The advancements in Mortar Loader V3 emphasize the reality that even the most robust XDR/EDR solutions can be bypassed. This realization is crucial for businesses in planning their cybersecurity strategies. It's a call to action for continuous improvement, emphasizing the importance of staying ahead of the curve in cybersecurity defense measures and to never rely on single cybersecurity solutions as a silver bullet.

In conclusion, the release of Mortar Loader epitomizes the ongoing evolution and complexity of cybersecurity. It demonstrates a crucial truth in digital security: as defensive technologies like EDR/XDR become more sophisticated, so too must the strategies to test and bypass them. This continuous advancement underscores the importance of adaptability and foresight in cybersecurity practices. Mortar Loader not only showcases the ingenuity required in ethical hacking but also serves as a crucial reminder of the ever-changing nature of the cybersecurity landscape, where staying ahead requires constant innovation and preparedness.