Mortar Loader V3, a Portable Executable shellcode loader

Disclaimer: The information provided in this article is for informational purposes only. The authors do not encourage or endorse any illegal activities. The authors of this article do not condone or encourage the use of the tool described herein for malicious purposes. Any unauthorized use of Mortar Loader is strictly prohibited and may have serious legal consequences. Readers are responsible for their actions and may be held liable for any damages or legal consequences arising from the misuse of Mortar Loader described in this article.

Nothing can be more frustrating than having your carefully developed malicious code caught by a security product. It’s like setting up a complex domino chain only to have it topple halfway through. In this blog post, Red Teamer Lawrence Amer presents his unique gift for the hackers community, through a new version of his tool: Mortar Loader V3. With this tool, the newest defensive measures from antivirus, endpoint detection and response (EDR) tooling, or extended detection and response (XDR) tooling can be evaded.

But why focus on such a tool? For us, it’s about understanding and staying ahead in the everlasting cat-and-mouse game of evading security tooling. By exploring and developing such evasion techniques, we aim to demonstrate that organizations should never solely rely on a single security product such as antivirus (AV) solutions, as attackers will always find new methods to evade these solutions. As KPMG, we show how attackers can and will use evading techniques, such as AV evading by enabling the simulation of real-world cyber threats during red teaming and threat-led penetration testing activities.

So, what exactly does the Mortar Loader do? Mortar Loader is a Portable Executable (PE) shellcode loader that is extensively used within the ethical hacker community to evade detection by security products. PE shellcode loaders work by dynamically loading and executing code at run time, rather than having it statically present in the file. This makes it more challenging for traditional AV solutions to detect and block malicious behavior. This article provides a comprehensive overview of Mortar Loader V3. The tool decrypts the executable image and shellcode inside a memory stream together with procedures and instructions for evasion techniques.

Mortar Loader has been in development for several years. The previous version, Mortar Loader V2, was released in May 2022 and introduced an encrypted shellcode runner and major changes to the functions, performance and function call obfuscation compared to Mortar Loader V1. In this blog post, we explore the upgrades in the latest version of Mortar Loader V3, provide context on how the tool works, and we show how it can be used.

PE and shellcode loaders are designed to bypass traditional security measures by dynamically injecting malicious code into the memory of a target system. This approach differs from normal malicious executables, which embed malicious code directly in the file structure of a program.

Various techniques can be employed for this purpose, including process hollowing, DLL injection, and user-mode hooking. Process hollowing involves embedding malicious code within the address space of an existing process, effectively disguising it within the legitimate process. DLL injection involves loading the malicious code into the address space of a running process as a dynamically linked library (DLL), allowing it to execute within the context of the host process. User-mode hooking involves modifying the behavior of existing system functions by redirecting their execution to the malicious code.

Antivirus solutions face increasing challenges in combating sophisticated attack vectors. This is evidenced by an article shared in 2022 showing threat actors using unpopular programming languages, like Delphi, for malware development. Threat actors are becoming more adaptable and creative in their methods, utilizing compiler variance to further complicate detection. As a result, the compiled executable will have a unique signature even though it has the same overall functionality as the original code. This can be due to compiler-induced optimization, instruction ordering, or symbol table changes, to name a few. These factors all contribute to a malware signature being unique every time it is compiled. This makes traditional AV signature-based detection methods less effective in identifying and blocking the malware.

Inspired by this strategy of using unpopular programming languages, Mortar Loader was programmed in Free Pascal in the Lazarus IDE using the Free Pascal Compiler (FPC), orchestrating multiple outstanding attack vectors and techniques combined into a single tool. The loader harnesses the Blowfish algorithm for on-the-fly decryption within the loader memory streams. The latest release leverages several tactics to accomplish its objective effectively evading detection by a range of anti-malware and EDR solutions, including Cortex XDR.

Mortar Loader serves as a Dynamic Link Library (DLL), enabling testers to simulate a wide range of attack vectors, from PE encrypted scenarios to shellcode injection techniques. Its capabilities encompass rundll32 execution, DLL injection, process hijacking, and sideloading, making it a powerful tool for Red Teamers and security researchers:

• PE Encrypted Scenarios - Mortar Loader can execute encrypted PE files, thereby concealing malicious code from detection.
• Shellcode Injection - Mortar Loader integrates shellcode injection techniques, enabling testers to inject malicious code into running processes. This capability allows testers to execute arbitrary code without relying on traditional executables.
• DLL Injection, Hijacking, and Sideloading - Mortar Loader serves as a payload loader and can therefore be used to aid in DLL Injection, Hijacking, and Sideloading. It relies on attackers to inject Mortar Loader into a target process or sideload it into legitimate software packages. Once Mortar Loader is in place, Mortar Loader's evasion and execution capabilities can be utilized to deliver malicious code discreetly.

Mortar Loader is, evidenced by over 1200 stars on GitHub and a steady stream of unique monthly visitors, a powerful tool for evading detection. However, this attention inevitably drew scrutiny from antivirus products, leading to increased detection rates for the v2 version.

To address this, Mortar Loader v3 is introduced, containing a suite of enhancements designed to regain its stealth capabilities:

1. Fileless execution with remote staged encrypted binary or shellcode
2. Early Bird via Asynchronous Procedure Call (APC) injection
3. Process masquerading
4. Named Pipes support
5. Strings and function calls obfuscation.
6. Mortar covert reload subroutine
7. Delay execution techniques

These features are described in detail as follows:

1.      Fileless execution

Mortar Loader v3 supports downloading encrypted binaries or shellcode from a remote source over HTTP/HTTPS, eliminating the need to store the payload locally. Loading the payload locally is still possible for those situations where remote sources cannot be used.

2.      Early Bird APC injection

The loader uses the Win32 API function QueueUserAPC to run the shellcode once the DLL file is attached to a remote process through DLL injection, hijacking or DLL sideloading. The main advantage being that most malicious behavior takes place early in the process initialization, increasing the level of stealth in some AV solutions.

3.      Process masquerading

The created processes from the loader look more legitimate compared to V2, making them more challenging to detect. For example, instead of using cmd.exe for process hollowing or early bird injection, the loader uses the dllhost.exe process and masquerades the process command line to be like a normal windows application.

4.      Named Pipes

The Loader creates a Named Pipe to transfer variable values between the injected DLL and the host system. This allows an adversary to pass the payload value into the loader.

5.      String and function calls obfuscation

The loader hides the Win32 API external calls from the Import Address Table (IAT) and both function names and pascal strings are encoded, making it more challenging for static analysis tools to identify and block the malicious code.

6.      Mortar covert reload subroutine

Mortar Loader v3 introduces a novel technique for persistence, ensuring the malicious payload remains active and operational even if terminated prematurely. This approach utilizes threaded timers to continuously monitor the payload execution status. If the payload is terminated, the attack chain is automatically reloaded, effectively reactivating the malicious code without user intervention. This strategy enables Mortar Loader to maintain persistent execution as long as the parent process remains active, making it a persistent threat to the system.

7.     Delayed execution techniques

To further evade detection by sandboxing or AV emulators, Mortar Loader v3 employs delay execution techniques.

To run Mortar Loader, users must compile the source code themselves. Precompiled binaries are intentionally not released to prevent indexing by public scanners. The compilation process is relatively straightforward when utilizing the Lazarus FPC IDE. The project structure is designed for ease of use, making it accessible even for developers with limited experience.

To use Mortar Loader, first encrypt the payload (for example, a PE, shellcode, or Cobalt Strike payload) using the Encryptor. The screenshot below shows the encryption process.