The Modern Hackers Guide to Dealing with Malware
Hi, HeXsploit here. I've used and developed a variety of malware tools and applications, both public and private. This post is less of an organized guide, but more of a brain-dump of some of the tips and tricks of the trade when it comes to malware. The world of malicious software, and the tools behind it is quite vast, so buckle up!
Here's some terms that might come in handy:
RAT- Remote Access Tool/Trojan
Packer/Crypter- Obfuscates and Encypts Binaries to avoid scantime AV detection and hinder malware analysts
FUD- Fully UnDetected
C2- Command and Control. Basically a RAT, but often has additional functionality
Loader- The name pretty much sums it up, it loads another piece of software when ran. Used mainly for AV evasion
OSINT- Open source Intelligence Gathering
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So you want to use malware? First, it's probably best to think about what your goal is. What do you want to accomplish by utilizing Malware? Are you trying to explicitly gain access to someone's system, steal their data and exfiltrate that, or ransom their data for pure profit? Maybe you just want to play around with malware for the fun of it. Whatever your case may be, it's important to think about all factors when purchasing anything or doing something that may end you up in the slammer for 20 years.
On many hacking forums, you're probably going to encounter someone trying to sell you a new private RAT/C2 on forums like Raid/Breached. I have nothing against private RAT software and their developers, but quite frankly you probably don't need a private RAT/C2 if you're starting out. There are plenty of public tools on GitHub, and they are quite good. Even the APTs use em (great article/s btw, highly recommend reading it). Alot of people like to think that implicitly Private > Public, which is sometimes true, but not always. The real trick in utilizing malware is really about taking existing code, and configuring and modifying it in a way that suits your needs without having to worry too much about AV. Heck, you could probably compromise plenty of folks, perhaps even businesses using fully open source malware with minimal to no modification. The only thing I'd really recommend paying for as a beginner to the malware scene is a Loader/Crypter. There are a few public loaders/crypters out there, but none of them are FUD, and signatures for FOSS crypters get developed immediately.
My advice to anyone starting out or similar is to try a bunch of different tools on various machines you own, find a workflow that works for you, then bring it out into the wild. Modify things bit by bit, and optimize your workflow. Right now, my current workflow involves (usually) Cobalt Strike / Metasploit Teamserver <- Forwarder Host <- .NET Shellcode Injector (Based on public GitHub source code) <- JScript/VBS Downloader (Wrote this one mostly from scratch, but there are plenty public ones available as well). This allows for a decent level of AV evasion and is also convenient to setup.
Alot of people, both new and old will rush into various things and not plan beforehand in regards to hacking. This is really dumb, and often is the source of many of the OPSEC failures you hear about on the news. Plan everything. Take good notes. Treat your deep dive into cyber-crime like an AP class. Except this time, if you flunk the class you might end up in federal prision, as apposed to the usual consequences. The defenders have the permanent advantage of better funding and more time to think things through. Do not let your ambition or impatience get in the way of progress.
If you're trying to begin spreading malware, I'd recommend thinking again about your goal. Who do you want to target? If you're more inclined to target specific organizations for various personal reasons, do that. If you're more inclined to make as much money as possible, you have to think from the perspective of the target company. Who has access to sensitive information, lots of PII, or alot of funds, but doesn't spend alot on IT, or security. Well, usually smaller municipalities, small to medium law firms and contractors, and smaller regional corporations. Pick a niche, and learn about the various processes the type of business is likely to engage in on a regular basis. Want to target restaurants for credit card data? Think about what an employee at a restaurant is likely going to be using the computer for. Maybe they check Yelp reviews, or respond to customer feedback through Email/Facebook/Twitter/Instagram/Etc. A well written email or post that happens to contain a link to a malicious download or phishing page in disguise of an important safety announcement or how they were mistreated by an employee won't usually make the reader bat an eye.
"But HeXsploit, I can't find a good business to hack?!?": Google Maps is your friend. Go to the main street of your nearest city or town and write down the ones that have a website and an email/way to contact them. Sometimes you'll find easy vulnerabilities on the webpage itself, if not start thinking about ways to socially engineer them into running your malware. Pick someone easy to start out with, don't attempt to hack the regional mega-corp on your first try at serious hacking. If at first you don't succeed, try again, but learn from your mistakes. This is a learning experience, if you choose not to adapt and learn, you will undoubtedly continue to fail. People ask why are teenagers often quite good at hacking? Because they have plenty of time to allocate to learning, and they are pretty damn persistent. Take some time and take some damn notes, read the news, scour the forums, and never stop learning. Accepting mediocrity and embracing laziness is the enemy of progress.
Alright, you know how to pwn your local mom&pop shop, but how do I scale up this operation? Well, let me introduce you to shodan.io, hunter.io, and builtwith.com. OSINT is key, and don't forget that. You can find a virtual treasure trove of juicy information online, and Shodan is pretty darn good at finding it. Shodan allows you to search a catalog of the entire internet using queries and selectors. You can find a variety of publicly accessible devices that allow you to build a better SE profile of a variety of companies, even ones halfway across the globe. Shodan might find you easy wins, but most often you won't immediately be able to exploit a company based on a device found on Shodan, but it is quite helpful for building a profile of how much a company may be spending on IT, and on the technologies they utilize. Hunter.io lets you input a domain, and tells you what emails might be associated with that domain. This can let you enumerate various employees that may work at the company, and their corresponding emails. There are other tools that let you find this information, but I generally use Hunter first as it is quite an easy interface. Finally, good old BuiltWith.com. BuiltWith is a large scale hackers dream. It lets you gather metric tons of company data, and generate lists based on queries given. Let's say I want to target companies with websites in the Australian Automotive industry, with roughly ~$20,000 of IT spending per year, that use PHP for their websites. Well, BuiltWith let's you find that, and it conveniently let's you generate a 5,000+ CSV with all of the results. BuiltWith costs money, but you can use it for free, albeit without some of their massive lists that are quite useful. I'd recommend DIY-ing your own company profiles without BuiltWith for a while before shilling out the money for it, but it's more-so about the learning experience than the cost of BuiltWith.
More to come soon, I will edit this post with more tomorrow...
Thanks for reading,
HeXsploit
Hi, HeXsploit here. I've used and developed a variety of malware tools and applications, both public and private. This post is less of an organized guide, but more of a brain-dump of some of the tips and tricks of the trade when it comes to malware. The world of malicious software, and the tools behind it is quite vast, so buckle up!
Here's some terms that might come in handy:
RAT- Remote Access Tool/Trojan
Packer/Crypter- Obfuscates and Encypts Binaries to avoid scantime AV detection and hinder malware analysts
FUD- Fully UnDetected
C2- Command and Control. Basically a RAT, but often has additional functionality
Loader- The name pretty much sums it up, it loads another piece of software when ran. Used mainly for AV evasion
OSINT- Open source Intelligence Gathering
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So you want to use malware? First, it's probably best to think about what your goal is. What do you want to accomplish by utilizing Malware? Are you trying to explicitly gain access to someone's system, steal their data and exfiltrate that, or ransom their data for pure profit? Maybe you just want to play around with malware for the fun of it. Whatever your case may be, it's important to think about all factors when purchasing anything or doing something that may end you up in the slammer for 20 years.
On many hacking forums, you're probably going to encounter someone trying to sell you a new private RAT/C2 on forums like Raid/Breached. I have nothing against private RAT software and their developers, but quite frankly you probably don't need a private RAT/C2 if you're starting out. There are plenty of public tools on GitHub, and they are quite good. Even the APTs use em (great article/s btw, highly recommend reading it). Alot of people like to think that implicitly Private > Public, which is sometimes true, but not always. The real trick in utilizing malware is really about taking existing code, and configuring and modifying it in a way that suits your needs without having to worry too much about AV. Heck, you could probably compromise plenty of folks, perhaps even businesses using fully open source malware with minimal to no modification. The only thing I'd really recommend paying for as a beginner to the malware scene is a Loader/Crypter. There are a few public loaders/crypters out there, but none of them are FUD, and signatures for FOSS crypters get developed immediately.
My advice to anyone starting out or similar is to try a bunch of different tools on various machines you own, find a workflow that works for you, then bring it out into the wild. Modify things bit by bit, and optimize your workflow. Right now, my current workflow involves (usually) Cobalt Strike / Metasploit Teamserver <- Forwarder Host <- .NET Shellcode Injector (Based on public GitHub source code) <- JScript/VBS Downloader (Wrote this one mostly from scratch, but there are plenty public ones available as well). This allows for a decent level of AV evasion and is also convenient to setup.
Alot of people, both new and old will rush into various things and not plan beforehand in regards to hacking. This is really dumb, and often is the source of many of the OPSEC failures you hear about on the news. Plan everything. Take good notes. Treat your deep dive into cyber-crime like an AP class. Except this time, if you flunk the class you might end up in federal prision, as apposed to the usual consequences. The defenders have the permanent advantage of better funding and more time to think things through. Do not let your ambition or impatience get in the way of progress.
If you're trying to begin spreading malware, I'd recommend thinking again about your goal. Who do you want to target? If you're more inclined to target specific organizations for various personal reasons, do that. If you're more inclined to make as much money as possible, you have to think from the perspective of the target company. Who has access to sensitive information, lots of PII, or alot of funds, but doesn't spend alot on IT, or security. Well, usually smaller municipalities, small to medium law firms and contractors, and smaller regional corporations. Pick a niche, and learn about the various processes the type of business is likely to engage in on a regular basis. Want to target restaurants for credit card data? Think about what an employee at a restaurant is likely going to be using the computer for. Maybe they check Yelp reviews, or respond to customer feedback through Email/Facebook/Twitter/Instagram/Etc. A well written email or post that happens to contain a link to a malicious download or phishing page in disguise of an important safety announcement or how they were mistreated by an employee won't usually make the reader bat an eye.
"But HeXsploit, I can't find a good business to hack?!?": Google Maps is your friend. Go to the main street of your nearest city or town and write down the ones that have a website and an email/way to contact them. Sometimes you'll find easy vulnerabilities on the webpage itself, if not start thinking about ways to socially engineer them into running your malware. Pick someone easy to start out with, don't attempt to hack the regional mega-corp on your first try at serious hacking. If at first you don't succeed, try again, but learn from your mistakes. This is a learning experience, if you choose not to adapt and learn, you will undoubtedly continue to fail. People ask why are teenagers often quite good at hacking? Because they have plenty of time to allocate to learning, and they are pretty damn persistent. Take some time and take some damn notes, read the news, scour the forums, and never stop learning. Accepting mediocrity and embracing laziness is the enemy of progress.
Alright, you know how to pwn your local mom&pop shop, but how do I scale up this operation? Well, let me introduce you to shodan.io, hunter.io, and builtwith.com. OSINT is key, and don't forget that. You can find a virtual treasure trove of juicy information online, and Shodan is pretty darn good at finding it. Shodan allows you to search a catalog of the entire internet using queries and selectors. You can find a variety of publicly accessible devices that allow you to build a better SE profile of a variety of companies, even ones halfway across the globe. Shodan might find you easy wins, but most often you won't immediately be able to exploit a company based on a device found on Shodan, but it is quite helpful for building a profile of how much a company may be spending on IT, and on the technologies they utilize. Hunter.io lets you input a domain, and tells you what emails might be associated with that domain. This can let you enumerate various employees that may work at the company, and their corresponding emails. There are other tools that let you find this information, but I generally use Hunter first as it is quite an easy interface. Finally, good old BuiltWith.com. BuiltWith is a large scale hackers dream. It lets you gather metric tons of company data, and generate lists based on queries given. Let's say I want to target companies with websites in the Australian Automotive industry, with roughly ~$20,000 of IT spending per year, that use PHP for their websites. Well, BuiltWith let's you find that, and it conveniently let's you generate a 5,000+ CSV with all of the results. BuiltWith costs money, but you can use it for free, albeit without some of their massive lists that are quite useful. I'd recommend DIY-ing your own company profiles without BuiltWith for a while before shilling out the money for it, but it's more-so about the learning experience than the cost of BuiltWith.
More to come soon, I will edit this post with more tomorrow...
Thanks for reading,
HeXsploit