Amber is a proof of concept packer, it can pack regularly compiled PE files into reflective PE files that can be used as multi stage infection payloads. If you want to learn the packing methodology used inside the Amber check out below.
PS: This is not a complete tool some things may break so take it easy on the issues 😅 and feel free to contribute.
Developed By Ege Balcı from INVICTUS/PRODAFT.
SUPPORTED PLATFORMS:
| Operative system | Version |
|---|---|
| Ubuntu | 16.04\16.10\17.04 |
| Kali linux | * |
| Manjaro | * |
| Arch Linux | * |
| Black Arch | * |
| Debian | * |
sudo chmod +x Setup.sh
sudo ./Setup.sh
// █████╗ ███╗ ███╗██████╗ ███████╗██████╗
// ██╔══██╗████╗ ████║██╔══██╗██╔════╝██╔══██╗
// ███████║██╔████╔██║██████╔╝█████╗ ██████╔╝
// ██╔══██║██║╚██╔╝██║██╔══██╗██╔══╝ ██╔══██╗
// ██║ ██║██║ ╚═╝ ██║██████╔╝███████╗██║ ██║
// ╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚══════╝╚═╝ ╚═╝
// POC Reflective PE Packer
# Version: 1.1.0
# Source: github.com/egebalci/Amber
USAGE:
amber [options] file.exe
OPTIONS:
-k, --key [string] Custom cipher key
-ks,--keysize <length> Size of the encryption key in bytes (Max:255/Min:8)
--staged Generated a staged payload
--iat Uses import address table entries instead of hash api
--no-resource Don't add any resource
-v, --verbose Verbose output mode
-h, --help Show this massage
EXAMPLE:
(Default settings if no option parameter passed)
amber -ks 8 file.exe
Fileless ransomware deployment with powershell
Multi Stage EXE deployment with metasploit stagers
Current detection rate (19.10.2017) of the POC packer is pretty satisfying but since this is going to be a public project current detection score will rise inevitably :)
When no extra parameters passed (only the file name) packer generates a multi stage payload and performs RC4 encryption with a random key then compiles it into a EXE file with adding few extra anti detection functions. Generated EXE file executes the stage payload like a regular shellcode after deciphering the payload and making the required environmental checks. This particular sample is the mimikats.exe (sha256 - 9369b34df04a2795de083401dda4201a2da2784d1384a6ada2d773b3a81f8dad) file packed with a 12 byte RC4 key (./amber mimikats.exe -ks 12). The detection rate of the mimikats.exe file before packing is 51/66 on VirusTotal. In this particular example packer uses the default way to find the windows API addresses witch is using the hash API, avoiding the usage of hash API will decrease the detection rate. Currently packer supports the usage of fixed addresses of IAT offsets also next versions will include IAT parser shellcodes for more alternative API address finding methods.
VirusTotal (5/65)
VirusCheckmate (0/36)
NoDistribute (0/36)
- Add x64 support
- Add MacOS support
- Add.NET file support
- Add a IAT parser shellcode to stub
- Add yara rules to repo
- Write a unpacker for Amber payloads
- Add RC4 encryption to payloads
- Automate IAT index address finding on --iat option
- Add more integrity checks to the file mapping function
- Better installation mechanism