How are the big bois doing SE payload attacks now?
#1
Hi everyone,
I've proudly written a metamorphic ransomware in assembly which is (as of 14/07/2021) FUD and will probably be for a big while.

Anyhow, now my big problem is trying to deliver it. As we all know, Microsoft did a huge crackdown on the "evil macros" on office docs about 2 months ago. This used to be my main way of spreading any payload which went FUD and wasn't too suspicious.

So, how can I spread my malware now? Sending exes in mail is frown upon by any spam agency and a plethora of alerts pop up when I do so. Sending a .bat is too sketchy as well and the .lnk trick has been also fixed.

I know that most of the big guys on the ransomware industry are using 0 day exploits, but since that isn't one of my strengths; I wondered if they had any "SE" way of doing it. Just anything that'll make a user execute a binary...

TL;DR: How do people spread their malware on specific companies nowadays (excluding 0 day exploits)?
Reply
#2
Can't say I have any operational experience with actual SE lately. Back in my day people used to use java drive by's Smile Ancient crap...

But anyways just some ideas I have:

VB Macro's in excel documents: Sure MS probably got the word doc exploits patched. But if you have an excel document as a dropper it will ask permission from the user to activate the macro. Most office workers arent that tech savy and will just run/allow this anyway without any deeper thought. There's cases when actors have used SE in this document to allow macros using excuses like it's a "confidential/encrypted" document etc. See example:
- http://explore.bowbridge.net/hs-fs/hubfs...ware-1.jpg
- http://explore.bowbridge.net/hs-fs/hubfs...ware-2.jpg
- http://explore.bowbridge.net/hs-fs/hubfs...ware-3.jpg
Full article: https://blogs.sap.com/2017/02/06/macro-m...d-to-know/

But of course MS will want to try to analyze this macro. But it's just vbscript. Like any other language there's ways to evade AVs through different methods. We have many threads about this. But I recommend this thread for starters: https://greysec.net/showthread.php?tid=6805

You can also do similar things if you maybe leverage HTA files: HTML Executable. Another idea I guess would be to try instead of using exe-files: Find executable file extensions that are lesser known to the end user. For example: .com (batch), .scr (screensaver) and more... See more ideas on fringe file extensions you can embed code with: https://aerorock.co.nz/list-of-executabl...s-windows/ If outlook blocks you from attaching these files you can try archive it in a .rar or similar.

And while writing this; Another interesting idea I got: Poor mans DLL Hijacking.

Create a dropper in .DLL file extensions using lolbins (law of the land binaries). In windows you can use certutil: https://blog.carnal0wnage.com/2017/08/ce...files.html

Get a legitimate sofware installation. Replace one of the DLLs with your own fake one. And have the installation file execute this dropper file during the installation.

Not sure if this actually works. I havent tried it myself.

But if we're speaking of more recent exploit developments. You might want to look into the recent "Chromium File spoofing" flaw: https://dl.packetstormsecurity.net/paper...lename.pdf (CVE-2021-2112). The gist of it is that you can spoof .gif file and more to actually be other files when downloading the file. If you can maybe create a payload site that looks for vulernable browser versions you could get yourself a nice targeted SE campaign.

Also another more old but interesting method that might be interesting: Binary planting. I am not sure if this still works. But last time I tried it; it did work. The gist of it is to get the victim to download 2 files: one exe-file called "msiexec.exe" and one broke/corrupt pdf file. If both of these files are in the same folder (for example; download folder) and the victim opens the pdf file: When the file is corrupted the pdf reader will try to look for "msiexec.exe" to fix this broken file. And it will execute the closest file it can find. In this case our fake msiexec.exe in the downloads folder.

More info:
- https://blog.acrossecurity.com/2012/02/d...nting.html
- https://www.acrossecurity.com/papers/RSA...anting.pdf
- https://isc.sans.edu/forums/diary/Malwar...les/23349/
- http://pwnwiki.io/#!persistence/windows/binary.md

This is some old crap though. Last time I tried this experiment it was back in 2012/2013. But I am sure similar binary planting attacks are still possible in the wild.

Just my 2 cents on it all!
Reply
#3
(07-14-2021, 04:47 PM)GreenHorse Wrote: TL;DR: How do people spread their malware on specific companies nowadays (excluding 0 day exploits)?

Besides what I just mentioned above; The how to create a cool dropper. The how to spread the dropper I did not adress. But I would say that if you want to target a specific organization/company you might want to do some research on the companies online presence. Cyber-stalk the employees:
- Use google dorks to find email addresses.
- Use google dorks to find pdf files, documents etc. Analyze these documents for useful exif-data. Sometimes they contain useful info like names, usernames & emails.
- Use tools like "theharvester" to scrape emails.
- If you have a leaked DB collection. Use grip-like tools with regex and look up the domain. See example: Or use an online service, I recommend snusbase.

More cool links for this (OSINT):
http://www.irongeek.com/i.php?page=video...ting-recon
https://resources.infosecinstitute.com/t...naissance/

When you have gathered this information you can try to create a spear phising campaign for these specific users. For example pretend to the their managers, coworkers or maybe HR? And send them targeted emails with your crafted droppers.

Maybe try to be creative and find something that wakes interests and curiosity for the targets. Take this phising campaign for example: Sent fake Covid info to the employees during the start of corona: https://www.aarp.org/money/scams-fraud/i...virus.html (I am not one to condone fraud but always interesting to know how it works).

Or maybe during christmas you can send an email regarding christmas giftcards? Send email about x hollidays etc? Using spoofed emails will probably be pretty futile considering all the spam protection unless you have the resources to hijack IPs with BGP hijacking. Otherwise might be better to either try to get similar miss-spellt domains or maybe use homoglyphs to create an identical domain (using special chars).

If you're hosting the payload externally on another site then maybe a cool idea would be to look for an open redirect vulnerability somewhere on a legit site. In my experience most sites dont take these vulns too seriously and they have low priority for fixes.

For example open redirect on paypal: paypal.com/example.php?urlopen=https://payloadsite.com

Maybe that or play around with <a> tags in the email. Or maybe if the dropper is small enough you can use html smuggling with data URI:
https://www.gdatasoftware.com/blog/2019/...are-github
https://lukeleal.com/research/posts/php-...-analysis/

Just some ideas. Sorry for spam Wink Just a bit bored tonight.
Reply
#4
Hi Insider,
First and foremost, I must thank you very much for such a detailed response. Please, whenever answering my posts never fear of being too spammy. I've already spent dozens of hours reading posts you've written (which by the way, I must congratulate and thank you for). So I always welcome elaborate answers.

Let's start about the main topic, this being the VB Macros in any office file:
It now seems that ANY attempt of creating a shell object on VBS instantly gets flagged by windows defender. This used to be bypassed by using an "external" program to create such shell i.e: Outlook. Unfortunately, this includes excel files. 
Microsoft did a big crack down on macros in March, see here [clearnet link]: https://www.zdnet.com/article/microsoft-...el-macros/

I knew about HTA files but I've never tried them myself. I'll take a look into it and do some tests. As for the unknown executable extensions; I wasn't aware about most of them! I'll find the article that you sent me very useful. 

On the "poor man's dll" subject, I've studied a bit how people nowadays do .dll injections into native Windows apps, and I've done a few tests myself. What I haven't done is use dll injections as a method of delivery. The idea seems very intriguing. The problem is that I'm awfully bad at modifying compiled code which wasn't written by me, so I think modifying the installer will take me some time. That being said, I do not discard the idea for I find it really really interesting.

Now, about the topic of spear phishing. I've mainly used leaked databases to get the emails from employees these past years and it works pretty well. I get plenty of them and about 80% still work. The two ideas you provided for SE were fantastic; and as for the email I use it's almost always a miss-spelt domain (using homoglyphs) purchased from Njal.la using Monero (really recommend the site).

I usually host my payload on the same VPS I have my C2 server on. I use a dodgy russian site but it has incredible prices (we're talking 1.5$/month for a VPS with IPv4).

I was also unaware of html smuggling with data URI. Will read in detail the articles to see what it's about.

Again Insider, thank you very much for the responses.
Looking forward to talk again.

GreenHorse
Reply
#5
(07-15-2021, 07:33 PM)GreenHorse Wrote: Hi Insider,
First and foremost, I must thank you very much for such a detailed response. Please, whenever answering my posts never fear of being too spammy. I've already spent dozens of hours reading posts you've written (which by the way, I must congratulate and thank you for). So I always welcome elaborate answers.

No problem! Glad to hear it Smile

(07-15-2021, 07:33 PM)GreenHorse Wrote: Let's start about the main topic, this being the VB Macros in any office file:
It now seems that ANY attempt of creating a shell object on VBS instantly gets flagged by windows defender. This used to be bypassed by using an "external" program to create such shell i.e: Outlook. Unfortunately, this includes excel files. 
Microsoft did a big crack down on macros in March, see here [clearnet link]: https://www.zdnet.com/article/microsoft-...el-macros/

Interesting, I was unaware of this. I work with vbscript quite a lot in my daily job (The pain of working with ancient legacy software...) but I think I'll do some experiments with this to see if I can bypass this.

Maybe creating a dropper without spawning a shell object would be something to try?

(07-15-2021, 07:33 PM)GreenHorse Wrote: I knew about HTA files but I've never tried them myself. I'll take a look into it and do some tests. As for the unknown executable extensions; I wasn't aware about most of them! I'll find the article that you sent me very useful. 

Yeah I've never tried this myself but I have friend who's been playing around with this. Looks interesting.

(07-15-2021, 07:33 PM)GreenHorse Wrote: On the "poor man's dll" subject, I've studied a bit how people nowadays do .dll injections into native Windows apps, and I've done a few tests myself. What I haven't done is use dll injections as a method of delivery. The idea seems very intriguing. The problem is that I'm awfully bad at modifying compiled code which wasn't written by me, so I think modifying the installer will take me some time. That being said, I do not discard the idea for I find it really really interesting.

Yeah. Ideally maybe the most fud way would be to append the malicious code in a dll while still keeping the original functionality. Would require some reverse engineering of the application. But maybe a tad bit easier if the software is open source?

Just adding and replacing a dll with your own payload would execute the code but leave a corrupted install or maybe a crash? Not exactly stealthy from the end users point.

(07-15-2021, 07:33 PM)GreenHorse Wrote: Now, about the topic of spear phishing. I've mainly used leaked databases to get the emails from employees these past years and it works pretty well. I get plenty of them and about 80% still work. The two ideas you provided for SE were fantastic; and as for the email I use it's almost always a miss-spelt domain (using homoglyphs) purchased from Njal.la using Monero (really recommend the site).

Yeah. Can't say I've done any of this myself but I always like to study what other groups are doing. Njala is pretty cool, unique in the way that no whois info is connected to you. They own the domain if I remember correctly. Probably fine as long you dont host any right wing content. I've heard that the owner is pretty left wing leaning. Peter Sunde, former spokesperson of the piratebay and current owner of ipredator vpn. I'd like to give it a try some time. Amazing that you only need an xmpp account to register, dont even need to use an email if you prefer not to. Privacy by design as they call it.
Reply
#6
(07-14-2021, 09:21 PM)Insider Wrote: [...]
Another idea I guess would be to try instead of using exe-files: Find executable file extensions that are lesser known to the end user. For example: .com (batch), .scr (screensaver) and more... See more ideas on fringe file extensions you can embed code with: https://aerorock.co.nz/list-of-executabl...s-windows/ If outlook blocks you from attaching these files you can try archive it in a .rar or similar.
[...]

Perhaps this here will be useful for the discussion. I leave it as a reference, but I've also never tried using alternative extensions.

https://www.file-extensions.org/
Reply
#7
(07-15-2021, 07:33 PM)GreenHorse Wrote: I usually host my payload on the same VPS I have my C2 server on. I use a dodgy russian site but it has incredible prices (we're talking 1.5$/month for a VPS with IPv4).

GreenHorse

Hi friend, sorry but i can't help you. Could you share the link for the vps russian dodgy site please? Here or in private.
Thank you friend,
Wish you good luck
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Can ColoCrossing spoof IP header now? feeder986 2 10,846 03-10-2019, 05:25 PM
Last Post: Insider