This talk is about developing malware in higher level languages. Languages such as Python or C# can give you the flexibility to quickly develop malware and use it on client engagements.
2. Whoami?
● Christopher Truncer (@ChrisTruncer)
○ Sys Admin turned Mandiant’s West Coast Red Team
○ Florida State Seminole
○ Open Source Software Developer
■ The Veil Framework
■ Egress-Assess
■ EyeWitness
■ Just-Metadata
■ etc.
3. Whoami?
● Evan Pena (@Evan_Pena2003)
○ Mandiant’s West Coast Red Team Lead
○ Open Source Software Developer
■ ADEnumerator
■ NessusCombiner
■ NMapParser
■ Etc.
4. What’s this talk about?
● Concepts of how malware generally works
● Injection Basics
○ Shellcode Injection
○ Process Injection
● Client Development Basics
● Server Development Basics
● AV Detection
● Sample Custom Malware
6. How does malware generally work?
● Most basic/traditional example is your standard client -
server model
○ Malware is downloaded and executed on a victim’s
machine
○ Malware connects back to server registering the
agent and sees if there’s any instructions
○ Malware periodically checks back in looking for
more instructions
7. Other Variants
● Worms
○ Automated propagation
● Ransomware
○ Can fall under worms
○ Infects and encrypts personal data
● Logic Bombs
○ Don’t see this much
○ Typically lay dormant until a trigger (date) and then
wreak havoc
8. What do we normally use?
● We typically use normal RATs which follow the
client/server standard
○ Meterpreter
○ Beacon
○ Custom code
● We don’t enable code to self-propagate
● We don’t enable code to perform destructive actions
● Usually, our use of malware is to help facilitate access
and execute “tasks” on the victim machine
9. RATs
● When breaking into a system, it’s highly probable you
will need to account for Anti-Virus
● Using widely published tools/callback generators can
potentially increase the likelihood detection
○ Metasploit, UPX Packers, even Veil-Evasion at times
● Custom code is your way around AV
10. RAT Functionality
● C2 Comms that check-in
● Ability to execute command line commands
● Ability to inject shellcode
● Ability to inject shellcode into remote processes
11. Server Functionality
● Server isn’t obvious upon first analysis
○ Any true IR pro will discover its intent
● Anti-replay detection/prevention
○ Same URI twice, or not a whitelisted URI? Ban/Block
the offending IP
● Track and manage multiple agents
● Handle data gathered by agent and submitted to server
13. Shellcode Injection
● This is performed by stagers (usually)
○ Their goal typically is to download and inject a
reflective dll
● Any language that has access to the Windows API can
have their own shellcode injection functionality
● While this sounds complicated, it’s an easy step
○ You only need to call four functions
14. Shellcode Injection
● The main concept is:
○ Allocate memory for shellcode
○ Copy the shellcode you want to run into the
memory that was just allocated
○ Create a thread that executes the shellcode
○ Wait for the thread to exit (let it run)
15. VirtualAlloc
● This function allocates memory
● It takes the following input for our use:
○ (Optional) Location to start allocating memory - Null
○ The amount (size) of memory to allocate
○ A value specifying to both reserve and commit the
memory
○ A value specifying this section of memory with RWX
permissions
16. RtlMoveMemory
● This will copy the shellcode into the memory we
previously allocated
● It takes the following input for our use:
○ A pointer to the location in memory where space
has been allocated
○ The location of the data that needs to be moved
○ The length of the data being moved (length of
shellcode)
17. CreateThread
● This creates a thread to execute shellcode
● It takes the following input for our use:
○ Null value (security attributes)
○ Null value (stack size specification)
○ Pointer to the start of the shellcode
○ Null value (no variables)
○ “0” - Thread runs immediately
○ “0” - Don’t need a thread identifier
18. WaitForSingleObject
● This specifies the program to allow the thread to
execute
● It takes the following input for our use:
○ A handle to the thread that was just created
○ The value “-1” to tell the program to wait to exit until
the thread exits
19.
20. Added Shellcode Injection with C#
Wouldn’t it be cool to have that in a C# RAT Stager?
More to come people!
23. ColbaltStrike Beacon and Meterpreter Shellcode
● Beacon listeners are compatible with MSFVenom
generated shellcode
○ As long as you use shellcode for the same “type” of
payload
■ meterpreter/reverse_https == beacon reverse
https
■ meterpreter/reverse_http == beacon reverse
http
25. Process Injection
● This is relatively similar to shellcode injection.
● You’re not allocating space in your own process, you
are doing it in another (remote) process.
● This is also done in four steps:
○ Obtain a handle to the remote process
○ Allocate memory for your shellcode in the remote
process
○ Write the shellcode to the remote memory space
○ Create a thread in the remote process
26. OpenProcess
● This provides a handle to the process we want to inject
shellcode into
● This takes three inputs
○ The level of access requested (all access)
○ Specifying that new processes don’t inherit the
handle
○ The process ID of the process that will have
shellcode injected into it
27. VirtualAllocEx
● This allocates memory in a remote process
● It takes five inputs
○ A handle to the remote process
○ Allow the function to determine where to allocate
mem
○ The length of the shellcode
○ Specify to the function to allocate the required
memory
○ The permissions on the memory that’s being
allocated
28. WriteProcessMemory
● This writes the shellcode to inject in the remote
process
● This takes five inputs
○ A handle to the remote process
○ A pointer to the address in memory to write to
○ A variable containing the shellcode to inject
○ The length of the shellcode being injected
○ A NULL value since we don’t care about the number
of bytes being written
29. CreateRemoteThread
● This starts a remote thread to execute the shellcode
● This takes seven inputs
○ Handle to the remote process
○ Null, and 0, specifying security attributes and stack
size
○ Pointer to location in memory containing code to
run
○ 0, 0, 0 - Not passing a variable in, thread runs
immediately, and we don’t care about thread id
34. Keylogging
● We’ll make a python based keylogger for this example
● It’s pretty simple, and can be package into an
executable
● Best part, there’s already public code for it!
○ Needed small mods
● Can be run from user-level (don’t need admin rights)
37. Malware Agents
● Need to egress network boundaries
○ HTTP(S) is likely easiest to use
● Want to have secure comms with server
● Need to be able to receive commands OR have the
commands already built into them
○ Also need to be able to send back results
● Need to evade antivirus
39. C2 Servers
● Not immediately stand out as a C2 server
○ Some sort of security through obfuscation
● Protect against replay attacks
● Ensure secure communications with agents
● Track multiple agents and have the ability to issue
individual commands
53. Case Study - Enumerator
● Client didn’t want actual shellcode injection and
infection of their environment
● They wanted intel collection from the systems where
the payloads were executed
● The data gathered by the script/malware needed to
egress the network to our listening server
69. Building Out C# RAT
● Wanted custom quick RAT that I could use upon initial compromise
● Benefits:
○ Can be quickly modified to evade AV signatures
○ Provides you initial cmd access to compromised system for quick tasks:
■ Recon/enumeration
■ Adding user accounts
■ Persistence
○ Can be easily modified to add more functionality:
■ persistence, shellcode injection, process injection, encrypted coms, encrypted
payloads
○ Used as a stager: Added shellcode and process injection to inject a more complete RAT
into memory and avoid detection. (Yes, that comes with my version!)
71. DarkLink Overview
● Really simple $h!7, but quick and easy
● What is it?
● C# dropper that will download and execute your arbitrary payload
● Will persist the payload automatically
● Bottom line: quick persistence/dropper for your actual payload
72. Fun Persistence Techniques
● Checks for Internet using Google.com
● Downloads payload to a folder it can
write to
● Checks to see what software is
installed
● Will schedule a task OR modify
registry
73. Little Bit More Detail
● What folders does it check?
○ C:Program Files (x86)AdobeReader 10.0Reader
○ C:Program Files (x86)AdobeFlash Player
○ C:Program Files (x86)Javajre7bin
○ C:Program Files (x86)GoogleChromeApplication
○ C:Program Files (x86)Mozilla Firefox
● Checks all versions of Adobe and Java
● Will check for Program Files if x86 doesn’t exist
● Depending on results, will create update. E.g. AdobeUpdater.exe
● Supports registry persistence and scheduled task
● Much more to add! Fork it and add it
○ WMI persistence, permissions checks, service creation, see Bsides talk
74. Wrapup
● This stuff is quick and easy to develop
○ You don’t need to be a “developer” to write your
own malware/stagers
● Everything we talked about is mostly used for initial
access.
○ You don’t want to burn your full blown RAT (pawn)
○ You might just need initial persistence quickly
○ Can be modified to expand functionality and bypass
AV