Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Social Engineering - Fake PDF Trojan Horse #78

Closed
codings9 opened this issue Oct 1, 2020 · 6 comments
Closed

Social Engineering - Fake PDF Trojan Horse #78

codings9 opened this issue Oct 1, 2020 · 6 comments
Labels
bug-report need-sourcecode-review

Comments

@codings9
Copy link

codings9 commented Oct 1, 2020
edited by r00t-3xp10it
Loading

Windows systems (vista|7|8|8.1|10)

8 (Amsi Evasion) |  Agent nº5

Version v1.0.17 Changelog

Hey, i was about to do a video for LBRY on Fake PDF Trojan Horse, and i ran upon this hiccup.
Let me know what steps i can take to fix this or help you fix it, thank you!
Fake PDF Trojan Horse
@r00t-3xp10it
Copy link
Owner

r00t-3xp10it commented Oct 2, 2020
edited
Loading

Something its wrong then ..
because Client.exe (Agent) its the same implant that both of us have been working on ..
Gist: https://gist.github.com/r00t-3xp10it/13e1bd5c657a1bd38bdf0a82d0e63309#gistcomment-3153563

step by step

1º - does dropper.exe as is icon changed from exe to pdf icon ?

  • yes
  • no

2º - does dropper.exe downloads/executes the pdf document ?

  • yes
  • no

3º - does dropper.exe downloads/executes the Client.exe ?

  • yes
  • no

4º - does venom listenner recive the connection from Client.exe ?

  • yes
  • no

review

1º - So review the Wine32 settings (multi-arch support)...
More info about the module can be found Here

2º - Or review the lib used by venom.sh to compile the dropper.exe
i586-mingw32msvc-gcc (32bits) OR i686-w64-mingw32-gcc (64bits)
Review the venom.sh -> 3 settings under your arch:

3º - OR maybee x64 bits arch compiled payload (agent) its giving an error under target x64 bits...
Try to change venom.sh configs from x64 to x32 bits -> and build/test the agent then

Target machine (windows 10 - x64bit)

test

Attacker machine (Linux Kali - x32bit)

test2

@r00t-3xp10it r00t-3xp10it changed the title Social Engineering - Fake PDF Trojan Horse (**) Social Engineering - Fake PDF Trojan Horse Oct 2, 2020
@codings9
Copy link
Author

codings9 commented Oct 5, 2020
edited
Loading

Something its wrong then ..
because Client.exe (Agent) its the same implant that both of us have been working on ..
Gist: https://gist.github.com/r00t-3xp10it/13e1bd5c657a1bd38bdf0a82d0e63309#gistcomment-3153563

step by step

1º - does dropper.exe as is icon changed from exe to pdf icon ?
YES.
2º - does dropper.exe downloads/executes the pdf document ?
YES.
3º - does dropper.exe downloads/executes the Client.exe ?
YES.
4º - does venom listenner recive the connection from Client.exe ?
NO.
No connection, from Linux side, tested on x86 (xterm opens and shuts down) and x64 same picture i posted earlier, even put this on Parrot OS, nothing.

**>>I did notice that you are using: Sign Executable for AV Evasion (Carbon Copy)

Dropper Certificate: www.microsoft.com
Client Certificate: www.microsoft.com**
That is the only difference i can see.

review

1º - So review the Wine32 settings (multi-arch support)...
Wine32 is multi-arch support: YES.
More info about the module can be found Here

2º - Or review the lib used by venom.sh to compile the dropper.exe
> This is good as well, no issues here.
i586-mingw32msvc-gcc (32bits) OR i686-w64-mingw32-gcc (64bits)
> This is good as well, no issues here.
Review the venom.sh -> 3 settings under your arch:
> This is good as well, no issues here.
3º - OR maybee x64 bits arch compiled payload (agent) its giving an error under target x64 bits...
Yes , error only occurs when using x64, not x86.
Try to change venom.sh configs from x64 to x32 bits -> and build/test the agent then
> Tried, same issue, will stick with x86 for architecture it works, but it just closes Xterm after i have executed the client.exe
on target

Target machine (windows 10 - x64bit)

test

Attacker machine (Linux Kali - x32bit)

Yes, attacker is now x86 target is x64.

test2

@r00t-3xp10it
Copy link
Owner

r00t-3xp10it commented Oct 5, 2020
edited
Loading

its not because of this I did notice that you are using: Sign Executable for AV Evasion (Carbon Copy) that it fails ...
But after i have figure it out whats appening on your side.. i will say how to use that hidden fuction ;) ..

@r00t-3xp10it
Copy link
Owner

r00t-3xp10it commented Oct 6, 2020
edited
Loading

Lol, it's because I updated my Kali, so winetricks dotnet45 is generating errors per the microsoft side of things.
i upgraded my Kali, and now i am over here fighting with winetricks dotnet45🤣😂
16B24E53-A877-4BA3-988B-56D7A43FAF07

Working now ..
C45F1D5F-9C95-4114-B715-21CA7F4F8E73

@codings9
Copy link
Author

codings9 commented Oct 12, 2020 via email

@r00t-3xp10it
Copy link
Owner

r00t-3xp10it commented Oct 12, 2020
edited
Loading

tell me .. why the dropper does not present the PDF icon ??
its because its inside the archive when you execute it ??
.
Take a look at Test.exe file on my desktop ..
test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug-report need-sourcecode-review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@codings9 @r00t-3xp10it