-
ShellCloak is a new technique to separate the shellcode from the dropper without downloading anything to the vitctim's machine. The way how this works is it uses Chrome's and Firefox's history database to our advantage.
-
First it will generate meterpreter x86 powershell then it will use that shellcode as a URL on THREE parts. So there will be THREE redirections using javascript files. Each redirection will take 1 part from the shellcode and of course Chrome or Firefox will store that URL in it's history database which we will access later.
-
By doing that we are bypassing AV and IDS since we are not doing anything to the target box lol, it's the browser itself doing that for us. Thank you Chrome and Firefox for your cooperations :D.
-
Once all the 3 parts stored in Chrome's or Firefox's database, we open that database using our C code and put all the pieces together and then execute it.
-
Since the dropper itself doesn't have anything inside it, it should be almost 100% undetectable and clean.
-
The javascript file will detect the browser and will redirect the user based on that browser.