search

r00t-3xp10it / venom

venom - C2 shellcode generator/compiler/handler
1.76k stars 594 forks source link

Social Engineering - Fake PDF Trojan Horse #78

Closed codings9 closed 3 years ago

codings9 commented 3 years ago

Windows systems (vista|7|8|8.1|10)

8 (Amsi Evasion) |  Agent nº5

Version v1.0.17 Changelog

Hey, i was about to do a video for LBRY on Fake PDF Trojan Horse, and i ran upon this hiccup. Let me know what steps i can take to fix this or help you fix it, thank you! Fake PDF Trojan Horse

r00t-3xp10it commented 3 years ago

Something its wrong then .. because Client.exe (Agent) its the same implant that both of us have been working on .. Gist: https://gist.github.com/r00t-3xp10it/13e1bd5c657a1bd38bdf0a82d0e63309#gistcomment-3153563

step by step

1º - does dropper.exe as is icon changed from exe to pdf icon ?

2º - does dropper.exe downloads/executes the pdf document ?

3º - does dropper.exe downloads/executes the Client.exe ?

4º - does venom listenner recive the connection from Client.exe ?

review

1º - So review the Wine32 settings (multi-arch support)... More info about the module can be found Here

2º - Or review the lib used by venom.sh to compile the dropper.exe i586-mingw32msvc-gcc (32bits) OR i686-w64-mingw32-gcc (64bits) Review the venom.sh -> 3 settings under your arch:

3º - OR maybee x64 bits arch compiled payload (agent) its giving an error under target x64 bits... Try to change venom.sh configs from x64 to x32 bits -> and build/test the agent then

Target machine (windows 10 - x64bit)

test

Attacker machine (Linux Kali - x32bit)

test2

codings9 commented 3 years ago

Something its wrong then .. because Client.exe (Agent) its the same implant that both of us have been working on .. Gist: https://gist.github.com/r00t-3xp10it/13e1bd5c657a1bd38bdf0a82d0e63309#gistcomment-3153563

step by step

1º - does dropper.exe as is icon changed from exe to pdf icon ? YES. 2º - does dropper.exe downloads/executes the pdf document ? YES. 3º - does dropper.exe downloads/executes the Client.exe ? YES. 4º - does venom listenner recive the connection from Client.exe ? NO. No connection, from Linux side, tested on x86 (xterm opens and shuts down) and x64 same picture i posted earlier, even put this on Parrot OS, nothing.

**>>I did notice that you are using: Sign Executable for AV Evasion (Carbon Copy)

Dropper Certificate: www.microsoft.com Client Certificate: www.microsoft.com** That is the only difference i can see.

review

1º - So review the Wine32 settings (multi-arch support)... Wine32 is multi-arch support: YES. More info about the module can be found Here

2º - Or review the lib used by venom.sh to compile the dropper.exe > This is good as well, no issues here. i586-mingw32msvc-gcc (32bits) OR i686-w64-mingw32-gcc (64bits) > This is good as well, no issues here. Review the venom.sh -> 3 settings under your arch: > This is good as well, no issues here. 3º - OR maybee x64 bits arch compiled payload (agent) its giving an error under target x64 bits... Yes , error only occurs when using x64, not x86. Try to change venom.sh configs from x64 to x32 bits -> and build/test the agent then > Tried, same issue, will stick with x86 for architecture it works, but it just closes Xterm after i have executed the client.exe on target

Target machine (windows 10 - x64bit)

test

Attacker machine (Linux Kali - x32bit)

Yes, attacker is now x86 target is x64. test2

r00t-3xp10it commented 3 years ago

its not because of this I did notice that you are using: Sign Executable for AV Evasion (Carbon Copy) that it fails ... But after i have figure it out whats appening on your side.. i will say how to use that hidden fuction ;) ..

r00t-3xp10it commented 3 years ago

Lol, it's because I updated my Kali, so winetricks dotnet45 is generating errors per the microsoft side of things. i upgraded my Kali, and now i am over here fighting with winetricks dotnet45🤣😂 16B24E53-A877-4BA3-988B-56D7A43FAF07

Working now .. C45F1D5F-9C95-4114-B715-21CA7F4F8E73

codings9 commented 3 years ago

Thank you, here is the video: https://lbry.tv/@MunYa:d/Fake-PDF-Trojan-Horse:0?r=2Doo3VYrEzk9UmEw9kKFmbfEZtFZBjrx

Not messing with Youtube, and 3 strikes, lol, again thanks.

On Tue, Oct 6, 2020 at 3:28 AM pedro ubuntu notifications@github.com wrote:

Closed #78 https://github.com/r00t-3xp10it/venom/issues/78.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/r00t-3xp10it/venom/issues/78#event-3844667711, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABOUOMB5SHGD45BIVFOZJKTSJLWNDANCNFSM4R74G43A .

r00t-3xp10it commented 3 years ago

tell me .. why the dropper does not present the PDF icon ?? its because its inside the archive when you execute it ?? . Take a look at Test.exe file on my desktop .. test