Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Higher Level Malware


Published on

This talk is about developing malware in higher level languages. Languages such as Python or C# can give you the flexibility to quickly develop malware and use it on client engagements.

Published in: Internet
  • Be the first to comment

Higher Level Malware

  1. 1. Higher Level Malware @ChrisTruncer @Evan_Pena2003
  2. 2. Whoami? ● Christopher Truncer (@ChrisTruncer) ○ Sys Admin turned Mandiant’s West Coast Red Team ○ Florida State Seminole ○ Open Source Software Developer ■ The Veil Framework ■ Egress-Assess ■ EyeWitness ■ Just-Metadata ■ etc.
  3. 3. Whoami? ● Evan Pena (@Evan_Pena2003) ○ Mandiant’s West Coast Red Team Lead ○ Open Source Software Developer ■ ADEnumerator ■ NessusCombiner ■ NMapParser ■ Etc.
  4. 4. What’s this talk about? ● Concepts of how malware generally works ● Injection Basics ○ Shellcode Injection ○ Process Injection ● Client Development Basics ● Server Development Basics ● AV Detection ● Sample Custom Malware
  5. 5. Malware Basics
  6. 6. How does malware generally work? ● Most basic/traditional example is your standard client - server model ○ Malware is downloaded and executed on a victim’s machine ○ Malware connects back to server registering the agent and sees if there’s any instructions ○ Malware periodically checks back in looking for more instructions
  7. 7. Other Variants ● Worms ○ Automated propagation ● Ransomware ○ Can fall under worms ○ Infects and encrypts personal data ● Logic Bombs ○ Don’t see this much ○ Typically lay dormant until a trigger (date) and then wreak havoc
  8. 8. What do we normally use? ● We typically use normal RATs which follow the client/server standard ○ Meterpreter ○ Beacon ○ Custom code ● We don’t enable code to self-propagate ● We don’t enable code to perform destructive actions ● Usually, our use of malware is to help facilitate access and execute “tasks” on the victim machine
  9. 9. RATs ● When breaking into a system, it’s highly probable you will need to account for Anti-Virus ● Using widely published tools/callback generators can potentially increase the likelihood detection ○ Metasploit, UPX Packers, even Veil-Evasion at times ● Custom code is your way around AV
  10. 10. RAT Functionality ● C2 Comms that check-in ● Ability to execute command line commands ● Ability to inject shellcode ● Ability to inject shellcode into remote processes
  11. 11. Server Functionality ● Server isn’t obvious upon first analysis ○ Any true IR pro will discover its intent ● Anti-replay detection/prevention ○ Same URI twice, or not a whitelisted URI? Ban/Block the offending IP ● Track and manage multiple agents ● Handle data gathered by agent and submitted to server
  12. 12. Shellcode Injection
  13. 13. Shellcode Injection ● This is performed by stagers (usually) ○ Their goal typically is to download and inject a reflective dll ● Any language that has access to the Windows API can have their own shellcode injection functionality ● While this sounds complicated, it’s an easy step ○ You only need to call four functions
  14. 14. Shellcode Injection ● The main concept is: ○ Allocate memory for shellcode ○ Copy the shellcode you want to run into the memory that was just allocated ○ Create a thread that executes the shellcode ○ Wait for the thread to exit (let it run)
  15. 15. VirtualAlloc ● This function allocates memory ● It takes the following input for our use: ○ (Optional) Location to start allocating memory - Null ○ The amount (size) of memory to allocate ○ A value specifying to both reserve and commit the memory ○ A value specifying this section of memory with RWX permissions
  16. 16. RtlMoveMemory ● This will copy the shellcode into the memory we previously allocated ● It takes the following input for our use: ○ A pointer to the location in memory where space has been allocated ○ The location of the data that needs to be moved ○ The length of the data being moved (length of shellcode)
  17. 17. CreateThread ● This creates a thread to execute shellcode ● It takes the following input for our use: ○ Null value (security attributes) ○ Null value (stack size specification) ○ Pointer to the start of the shellcode ○ Null value (no variables) ○ “0” - Thread runs immediately ○ “0” - Don’t need a thread identifier
  18. 18. WaitForSingleObject ● This specifies the program to allow the thread to execute ● It takes the following input for our use: ○ A handle to the thread that was just created ○ The value “-1” to tell the program to wait to exit until the thread exits
  19. 19. Added Shellcode Injection with C# Wouldn’t it be cool to have that in a C# RAT Stager? More to come people!
  20. 20. I didn’t take the “write shellcode class”
  21. 21. Shellcode 101 Class – use tools!
  22. 22. ColbaltStrike Beacon and Meterpreter Shellcode ● Beacon listeners are compatible with MSFVenom generated shellcode ○ As long as you use shellcode for the same “type” of payload ■ meterpreter/reverse_https == beacon reverse https ■ meterpreter/reverse_http == beacon reverse http
  23. 23. Process Injection
  24. 24. Process Injection ● This is relatively similar to shellcode injection. ● You’re not allocating space in your own process, you are doing it in another (remote) process. ● This is also done in four steps: ○ Obtain a handle to the remote process ○ Allocate memory for your shellcode in the remote process ○ Write the shellcode to the remote memory space ○ Create a thread in the remote process
  25. 25. OpenProcess ● This provides a handle to the process we want to inject shellcode into ● This takes three inputs ○ The level of access requested (all access) ○ Specifying that new processes don’t inherit the handle ○ The process ID of the process that will have shellcode injected into it
  26. 26. VirtualAllocEx ● This allocates memory in a remote process ● It takes five inputs ○ A handle to the remote process ○ Allow the function to determine where to allocate mem ○ The length of the shellcode ○ Specify to the function to allocate the required memory ○ The permissions on the memory that’s being allocated
  27. 27. WriteProcessMemory ● This writes the shellcode to inject in the remote process ● This takes five inputs ○ A handle to the remote process ○ A pointer to the address in memory to write to ○ A variable containing the shellcode to inject ○ The length of the shellcode being injected ○ A NULL value since we don’t care about the number of bytes being written
  28. 28. CreateRemoteThread ● This starts a remote thread to execute the shellcode ● This takes seven inputs ○ Handle to the remote process ○ Null, and 0, specifying security attributes and stack size ○ Pointer to location in memory containing code to run ○ 0, 0, 0 - Not passing a variable in, thread runs immediately, and we don’t care about thread id
  29. 29. Added Process Injection with C#
  30. 30. Keylogging
  31. 31. Keylogging ● We’ll make a python based keylogger for this example ● It’s pretty simple, and can be package into an executable ● Best part, there’s already public code for it! ○ Needed small mods ● Can be run from user-level (don’t need admin rights)
  32. 32. Client/Agent Development Basics
  33. 33. Malware Agents ● Need to egress network boundaries ○ HTTP(S) is likely easiest to use ● Want to have secure comms with server ● Need to be able to receive commands OR have the commands already built into them ○ Also need to be able to send back results ● Need to evade antivirus
  34. 34. Server Development Basics
  35. 35. C2 Servers ● Not immediately stand out as a C2 server ○ Some sort of security through obfuscation ● Protect against replay attacks ● Ensure secure communications with agents ● Track multiple agents and have the ability to issue individual commands
  36. 36. AV Detection
  37. 37. AV Detection ● So I’m going to show a story here about how I failed for this presentation
  38. 38. Sample Custom Malware
  39. 39. Case Study - Enumerator ● Client didn’t want actual shellcode injection and infection of their environment ● They wanted intel collection from the systems where the payloads were executed ● The data gathered by the script/malware needed to egress the network to our listening server
  40. 40. “Agent” Code
  41. 41. “Server” Code
  42. 42. Agent Side Server Side
  43. 43. Same Same, but C# Case Study: Reverse Shell
  44. 44. Agent Code
  45. 45. Server Code
  46. 46. Agent Side Server Side You literally just run the exe….
  47. 47. Injecting Meterpreter as Shellcode
  48. 48. Building Out C# RAT ● Wanted custom quick RAT that I could use upon initial compromise ● Benefits: ○ Can be quickly modified to evade AV signatures ○ Provides you initial cmd access to compromised system for quick tasks: ■ Recon/enumeration ■ Adding user accounts ■ Persistence ○ Can be easily modified to add more functionality: ■ persistence, shellcode injection, process injection, encrypted coms, encrypted payloads ○ Used as a stager: Added shellcode and process injection to inject a more complete RAT into memory and avoid detection. (Yes, that comes with my version!)
  49. 49. Introducing DarkLink
  50. 50. DarkLink Overview ● Really simple $h!7, but quick and easy ● What is it? ● C# dropper that will download and execute your arbitrary payload ● Will persist the payload automatically ● Bottom line: quick persistence/dropper for your actual payload
  51. 51. Fun Persistence Techniques ● Checks for Internet using ● Downloads payload to a folder it can write to ● Checks to see what software is installed ● Will schedule a task OR modify registry
  52. 52. Little Bit More Detail ● What folders does it check? ○ C:Program Files (x86)AdobeReader 10.0Reader ○ C:Program Files (x86)AdobeFlash Player ○ C:Program Files (x86)Javajre7bin ○ C:Program Files (x86)GoogleChromeApplication ○ C:Program Files (x86)Mozilla Firefox ● Checks all versions of Adobe and Java ● Will check for Program Files if x86 doesn’t exist ● Depending on results, will create update. E.g. AdobeUpdater.exe ● Supports registry persistence and scheduled task ● Much more to add! Fork it and add it ○ WMI persistence, permissions checks, service creation, see Bsides talk
  53. 53. Wrapup ● This stuff is quick and easy to develop ○ You don’t need to be a “developer” to write your own malware/stagers ● Everything we talked about is mostly used for initial access. ○ You don’t want to burn your full blown RAT (pawn) ○ You might just need initial persistence quickly ○ Can be modified to expand functionality and bypass AV
  54. 54. Links to Code/Projects ● Shellcode Injection - https://gist.github. com/ChrisTruncer/183ed7e4388388771654fd8cf7e91 e2a ● Process Injection - https://gist.github. com/ChrisTruncer/ee11640831eca846d18d12e8ee193 f77 ● Keylogger - https://github. com/ChrisTruncer/PenTestScripts/blob/master/keylog
  55. 55. Links to Code/Projects ● Keylogger - https://github. com/ChrisTruncer/PenTestScripts/blob/master/keylogg ● DarkLink - ● ReverseShell C# -
  56. 56. Questions? ● Chris Truncer (@ChrisTruncer) ○ ● Evan Pena (@evan_pena2003) ○