[QUESTION] Make LaZagne undetectable to get saved passwords in Python
#1
So I just did my first Ransomware in Python, it's pretty basic but works fine, encrypt all files, send an email with the key to decrypt the files and a unique id with some other information about the user's PC, it's not being detected by AV.

Right now I'm trying to get users passwords with https://github.com/AlessandroZ/LaZagne, I did a method to download the release LaZagne exe file in Github from the user's PC and execute it so I can get the passwords and send to my email like I did before, the problem is that the program is getting detected by AV what I expected because it's open source and public, I tried to obfuscate it with https://pypi.org/project/pyarmor(which I don't really know if it works to bypass AV) but the code is too big for the free trial version.

What you think I should do to make it UD without having to rewrite all the code myself?
Reply
#2
Before i answer your questions can i ask you a question? When you posted the links in this thread you used BB code in order to make your URLs appear as something they're not,correct?

Did you post them from a template and forgot to switch out the placeholders for the real thing? Lmao. Because it sure looks that way.

[Image: a-cleaned.png]
Reply
#3
(05-08-2021, 05:52 PM)Vector Wrote: Before i answer your questions can i ask you a question? When you posted the links in this thread you used BB code in order to make your URLs appear as something they're not,correct?

Did you post them from a template and forgot to switch out the placeholders for the real thing? Lmao. Because it sure looks that way.

He put urls into urls so they got messed up. I thought I had fixed them, but apparently not. Anyways I think the text is understandable Big Grin
Reply
#4
(05-08-2021, 06:01 PM)enmafia2 Wrote: He put urls into urls so they got messed up. I thought I had fixed them, but apparently not. Anyways I think the text is understandable Big Grin

Thanks for the clarification, for a second there i thought OP was trying to post malicious links by hiding them in BB code, but forgot to add the proper URLs, lmao.


Anyway with that out of the way, what kind of passwords are you trying to get OP? I ask because the method might be different if you want passwords for websites and payment processors and the like. Or Windows credentials etc.
Reply
#5
(05-08-2021, 05:52 PM)Vector Wrote: Did you post them from a template and forgot to switch out the placeholders for the real thing? Lmao. Because it sure looks that way.
I fixed it now, I was using the syntax [url=] of MyCode in the Help Documents, it may be a bug because I'm almost sure I did it the right way.

I mainly want to get saved passwords from the browsers, but the LaZagne project also get others passwords like Git and Keepass, you can see all the supported softwares in the Github repo.

That's why I want to use it, but I'm thinking in rewriting the code my self just to get the browsers saved passwords because at the moment I don't know much about Antivirus Evasion to make the whole code undetectable.
Reply
#6
(05-08-2021, 07:17 PM)zettabyte Wrote:
(05-08-2021, 05:52 PM)Vector Wrote: Did you post them from a template and forgot to switch out the placeholders for the real thing? Lmao. Because it sure looks that way.
I fixed it now, I was using the syntax [url=] of MyCode in the Help Documents, it may be a bug because I'm almost sure I did it the right way.

I mainly want to get saved passwords from the browsers, but the LaZagne project also get others passwords like Git and Keepass, you can see all the supported softwares in the Github repo.

That's why I want to use it, but I'm thinking in rewriting the code my self just to get the browsers saved passwords because at the moment I don't know much about Antivirus Evasion to make the whole code undetectable.

If you want all the passwords you might as well write a keylogger right?, Plus even if you borrow functionality from LaZagne, having your own piece of software that does the trick is going to be more efficient.

Since we're talking Python you could write your password extractor as a module that way you have a specialized lib you can use in any future malware projects. I wanted to mention something about AV evasion as well,  there are lot of things you can try if you are so inclined but generally speaking there are a few techniques that are most commonly used. Forget about obfuscating your Python Source, if you're targeting Windows, just make sure to compile to exe with UPX enabled. As you probably know UPX is an executable packer that compresses parts of your exe, which simply put makes it a little harder for AV to detect it as malicious. Same goes for Crypters, those work differently but the outcome is the same, The point is to fundamentally alter your executable to make it less likely to be detected. Writing a dropper and running the bulk of your malicious operations directly in memory will help also. Outsourcing malicious operations to native utilities is also something you can do if you have the appropriate privileges, or the knowledge to know which utilities(Including DLLs) are exploitable.

As  long as your executable survives being dropped on target you have a good chance to be able to execute all the native Windows languages -inline- as well. Powershell, VBS and even dotnet stuff like C# if the .NET Framework is present. Which is pretty amusing in my opinion.

Anyway just wanted to give you a quick overview.
Reply
#7
Hey,

I used Lazagne for a couple time ago, but it's start to be a bit outdated. I don't really know how to use other PID with python in windows, but it's a bit waste of time to find a tool that gives you a safe exe from an infected exe. The same behavior will be detected to AV and it will probably being blocked anyway.

In fact, the better way is either to find another way to get passwords (there is plenty of other project, some of them, more recent might be more discret) or find a way to execute it in another trusted process.

What is the final form of your code? Simple unsigned exe? It will be blocked dude

(05-08-2021, 09:35 PM)Vector Wrote:
(05-08-2021, 07:17 PM)zettabyte Wrote:
(05-08-2021, 05:52 PM)Vector Wrote: Did you post them from a template and forgot to switch out the placeholders for the real thing? Lmao. Because it sure looks that way.
I fixed it now, I was using the syntax [url=] of MyCode in the Help Documents, it may be a bug because I'm almost sure I did it the right way.

I mainly want to get saved passwords from the browsers, but the LaZagne project also get others passwords like Git and Keepass, you can see all the supported softwares in the Github repo.

That's why I want to use it, but I'm thinking in rewriting the code my self just to get the browsers saved passwords because at the moment I don't know much about Antivirus Evasion to make the whole code undetectable.

If you want all the passwords you might as well write a keylogger right?, Plus even if you borrow functionality from LaZagne, having your own piece of software that does the trick is going to be more efficient.

Since we're talking Python you could write your password extractor as a module that way you have a specialized lib you can use in any future malware projects. I wanted to mention something about AV evasion as well,  there are lot of things you can try if you are so inclined but generally speaking there are a few techniques that are most commonly used. Forget about obfuscating your Python Source, if you're targeting Windows, just make sure to compile to exe with UPX enabled. As you probably know UPX is an executable packer that compresses parts of your exe, which simply put makes it a little harder for AV to detect it as malicious. Same goes for Crypters, those work differently but the outcome is the same, The point is to fundamentally alter your executable to make it less likely to be detected. Writing a dropper and running the bulk of your malicious operations directly in memory will help also. Outsourcing malicious operations to native utilities is also something you can do if you have the appropriate privileges, or the knowledge to know which utilities(Including DLLs) are exploitable.

As  long as your executable survives being dropped on target you have a good chance to be able to execute all the native Windows languages -inline- as well. Powershell, VBS and even dotnet stuff like C# if the .NET Framework is present. Which is pretty amusing in my opinion.

Anyway just wanted to give you a quick overview.

Vector is right on building your own piece of code. It's a general rules, the more you use your own way to do thing, that you will be original and personal, you will always be more secure, and more likely to evade AV... But I understand it's a lot of work, but you can create a tool that will start it.

I gave you this link (c++), but there is 2 final exe. One to encrypt exe, and the other to start encrypted exe, maybe that will help.
https://github.com/hasherezade/pe_to_shellcode
Reply
#8
(05-08-2021, 09:35 PM)Vector Wrote: If you want all the passwords you might as well write a keylogger right?, Plus even if you borrow functionality from LaZagne, having your own piece of software that does the trick is going to be more efficient.

Yeah a keylogger would be useful in the future if I had a reverse connection, but I can't use it right now with the ransomware

(05-08-2021, 09:35 PM)Vector Wrote: Since we're talking Python you could write your password extractor as a module that way you have a specialized lib you can use in any future malware projects. I wanted to mention something about AV evasion as well,  there are lot of things you can try if you are so inclined but generally speaking there are a few techniques that are most commonly used. Forget about obfuscating your Python Source, if you're targeting Windows, just make sure to compile to exe with UPX enabled. As you probably know UPX is an executable packer that compresses parts of your exe, which simply put makes it a little harder for AV to detect it as malicious. Same goes for Crypters, those work differently but the outcome is the same, The point is to fundamentally alter your executable to make it less likely to be detected. Writing a dropper and running the bulk of your malicious operations directly in memory will help also. Outsourcing malicious operations to native utilities is also something you can do if you have the appropriate privileges, or the knowledge to know which utilities(Including DLLs) are exploitable.

Thanks for the advices, I didn't know about UPX I will try it later for sure, I'm also going to study about Crypters and Droppers so maybe I can make one in the future.

When you say running it directly in memory it's like getting the main code from a c2 server or pastebin, and running it without creating any files?

(05-09-2021, 05:15 PM)jean_valjean Wrote: What is the final form of your code? Simple unsigned exe? It will be blocked dude

Yes it would be a unsigned exe, I don't know if there's a way of doing it without SmartScreen warning appears, but with social engineering some users would still execute it.

(05-09-2021, 05:15 PM)jean_valjean Wrote: I gave you this link (c++), but there is 2 final exe. One to encrypt exe, and the other to start encrypted exe, maybe that will help.

https://github.com/hasherezade/pe_to_shellcode

Thanks man I will take a look at it
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Question about RAT's supernova 13 9,976 04-26-2021, 03:55 PM
Last Post: Vector
  [QUESTION] What are the different ways malware becomes persistant for Windows? ueax 8 7,229 02-08-2021, 10:32 PM
Last Post: ueax
  Introduction to Sandbox Evasion with Python. Vector 5 14,901 06-09-2020, 10:25 PM
Last Post: Insider
  [Python] Wiggler - Annoying Python Program For Windows DeepLogic 12 16,855 06-07-2020, 03:16 PM
Last Post: DeepLogic