banner
andrewji8

Being towards death

Heed not to the tree-rustling and leaf-lashing rain, Why not stroll along, whistle and sing under its rein. Lighter and better suited than horses are straw sandals and a bamboo staff, Who's afraid? A palm-leaf plaited cape provides enough to misty weather in life sustain. A thorny spring breeze sobers up the spirit, I feel a slight chill, The setting sun over the mountain offers greetings still. Looking back over the bleak passage survived, The return in time Shall not be affected by windswept rain or shine.
telegram
twitter
github
HomeArchives

Attack and Defense Exercise | Recording the entire process of a social engineering phishing attack.

#渗透180
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The author of the text is a beginner in phishing attacks and has limited experience in this area. They focus on the social engineering and scenario construction aspects of phishing attacks, without going into detail about evasion techniques. They describe a method using a C++ loader and MSF as a C2 to evade detection. The author targets a local website with a job recruitment module and uses a compressed bundle to deliver the malware. They encounter difficulties with file detection and consider using a second layer of compression. The author emphasizes the importance of accurately identifying key individuals in social engineering and plans to expand their techniques in the future.

As a beginner phishing attacker, my experience with phishing attacks is also very limited, and there is still a lot of room for improvement in creating undetectable horses and bundling. This article focuses on social engineering ideas and scene construction, so it will not describe the details of anti-virus technology too much. You can search for specific anti-virus technology on Google.

There are indeed many choices for anti-virus technology now, and one of the common ones is to use the method of separate loading. Here, I chose to use a loader written in C++ and use MSF as C2. (At that time, my horse could only pass Huorong and Kaba) I will briefly explain the principle of implementation, which is a very routine operation process:

  1. Use MSF to generate the original format shellcode.
  2. Encrypt the shellcode to ensure that it is not easily detected by antivirus software.
  3. Embed the encrypted shellcode into an image to generate a Trojan image.
  4. Upload the Trojan image to the VPS provided by HVV and start a service that can be accessed externally, so that the victim can access and download it.
  5. Induce the victim to click on the loader, and the loader will automatically download the Trojan image on the VPS.
  6. The loader will decrypt the shellcode in the Trojan image and inject the decrypted shellcode into memory to achieve online status.

The advantage of this method is that it uses common image formats as carriers, making the Trojan more difficult to be detected by antivirus software. At the same time, the encryption and decryption process increases the concealment of the execution process and improves the ability to avoid detection.

(Note: When generating shellcode with MSF, you can add some parameters for obfuscation. When writing shellcode loaders, try to choose some obscure Windows APIs to increase concealment.)

I finally targeted a local comprehensive website. This website contains multiple modules such as forums, decoration, car buying, second-hand houses, and recruitment in the region. I chose this website because it has a recruitment module, which is very suitable for phishing attacks. I realized that phishing through the process of delivering resumes is a very reasonable strategy.

However, a key issue is how to make the victim consciously click on the Trojan link without realizing the security risks, so that it can go online. As a beginner without phishing experience and no experts around, I had to find answers to this question on major forums. In the end, I chose the method of compression bundling.

The basic principle of compression bundling is to create a seemingly legitimate resume file and bundle the loader with it. In this way, when the victim downloads and decompresses the file, they are likely to click and view the resume unconsciously, thereby executing the loader.

The advantage of this method is that it uses people's common behavior habits, namely downloading and decompressing files, as well as the common operation of applicants, namely viewing resumes. By disguising as a legitimate resume file, I can guide the victim to click and view its content without suspicion, thereby executing the loader.

The steps of compression bundling are to first create a resume and shellcode loader.

Then select "Extract after running" in the settings and write the loader name here.

Select "Silent mode" and "Hide all" in the mode.

After decompression, the final files are obtained.

However, the generated file is an exe, so I used the Unicode RTLO method to construct a malicious file name. It can be successfully double-clicked to go online in local experiments.

The problem is that when it is passed through WeChat, the file will be displayed as EXE, and the malicious file name constructed by the Unicode RTLO method will be scrambled after downloading.

What should I do about this? There is no time to study how to bypass WeChat's detection mechanism, and I have also tried to start a service on the VPS for HR to download from the server. But is this feasible?

Later, I thought of one way, which is to add another layer of compressed file outside the bundled horse, which can make HR feel more reasonable. After they decompress one layer, they haven't received the resume yet, and they need to double-click to open it again, which is more reasonable. To protect personal privacy, I also set a password.

So now the process is: send the Trojan resume to HR -> HR accepts the Trojan resume from WeChat -> HR decompresses and gets the encrypted resume (actually the bundler) -> decrypts the encrypted resume -> triggers the loader -> goes online to my control end -> HR gets the resume file.

Phishing begins
When I clicked on the resume submission, I found that the website did not support self-written resumes, and could only be written on the website... Just when I was at a loss, I saw a customer service QR code on the homepage of the website, so I added it on WeChat with the attitude of trying it out. Maybe it's because of the enterprise WeChat, after adding it for a while, no one responded to me.

After lying flat for a day, I continued to look for prey. At noon the next day, I found a small QR code at the top of the recruitment module of the target website. I immediately scanned and added it, and successfully passed the WeChat verification in the afternoon. This made me feel a sense of victory, after all, it was an important progress in phishing.

I quickly sent a message to the target, hoping for a response. Unexpectedly, the other party replied quickly!

Then I started to make the resume in the previous step, packaged the loader with the resume after setting the decompression password, and then tested it locally, double-clicked and entered the password to go online successfully. I prayed for myself and sent the "resume" to customer service.

Next, I waited anxiously, staring at the monitoring end, hoping to see a new session go online. However, time passed by every minute and every second, two hours had passed, but there was no session online.

I started to think, whether there was an error in some link, or my undetectable horse was discovered, or other problems occurred...

When I actively sent a message, I found that a session finally appeared on the monitoring end. I confirmed it, and indeed the customer service decompressed the file I sent and went online. So, I started a happy journey of information collection.

Experience and Summary

  1. When conducting social engineering, the most important thing is to accurately identify key figures. The reason why this phishing operation failed was that I found that the target was using a personal PC during subsequent information collection.

  2. When conducting phishing operations, it is best to cast a wide net, but for targeted phishing, it is necessary to determine the identity of the other party before performing social engineering operations.

  3. I will expand other bundling techniques and Word macro Trojans in the future. Because the bundling Trojan I used will stay in the folder after decompression, and I have not found a suitable place to hide it, which seems more obvious. In addition, after going online, I also need to immediately execute process migration to prevent the other party from directly terminating my shellcode in the task manager, otherwise our operation will fail.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.