05-01-2023, 11:08 AM
Ch6-7 Malware Delivery
Everyone will try and tell you to use a specific programming language when coding your own piece of malware but in the end it's what works for you and what will actually work in real life. For me personally I used Python to create a RAT and made my own custom piece of ransomware based on someone else's work that got the job done without problems on Windows and macOS computers. I know most of you are laughing your heads off screaming "FUCKING SKID USING PYTHON LOL" and most of the clowns who are mocking me are probably preaching to everyone that they must code malware in C/C++, ASM, or some shit but the reality is I taught myself Python in about 4-6 months and was launching my own ransomware campaigns that were capable of bypassing AV out of the box. Who the fucks cares? The piece of malware I coded in Python worked exactly how I wanted it to work and I profited a fuck ton from that so you can laugh all you want. Don't pay attention to the haters. Haters gonna hate so find what works for you.
I do plan on releasing the source code to the Frankenstein ransomware I created (comes with a builder and is super fucking easy to use) that way people can learn from the code and/or use it as they see fit. Future things. It's outdated to fuck but it shows that with a little dedication and hard work you can learn how to code your own piece of malware. Honestly, the code for the ransomware is very basic and was done that way for a reason. Anyone reading through my code should understand everything it does without difficulties and there's no fuckery afoot. It's terrible code and anyone who programs can laugh in my face but the point is that it worked.
Many other pieces of Python malware have worked in the past but let's face it their code is much better than mine.
This Chapter is all about encouragement, positivity, randomness, and probably having you read through all my non-sense but really it's about hearing a little story of mine to motivate you.
For many of you that are studying at HackTown you're probably asking yourself "How long is it going to take me to actually learn all of this?", "When can I make my millions and fuck off??", "How much am I going to spend on this?", etc.
Well... Listen to my story as I hope it gives people the motivation needed to push themselves and to continue on with educating yourselves on the topics that you're interested in. Which, we all know is crime. Pure crime.
Let's rewind in time to a place in time where I was in my life. Bring it back in time baby.
As you know I dabbled in many cybercriminal operations ranging from carding, running online scams and fraud, hacking, and compromising people and businesses for profits. I was really all over the cybercriminal landscape of careers trying to find my groove and what I was good at. It first started off with a lot of reading and studying about the topics that interested me, just like you're doing now. I started out just like everyone else at ground zero and worked my way up over time to where I was able to pop life in neutral and coast into the sunset. Although, not without some bumps in the road here and there with wasting time on getting a useless degree in Cyber Security and briefly working within that field which sucked ass. But life is all about the journey.
I soon realized that with my knowledge, skills, amount of free time available, time on task, opportunity costs, money, etc. I needed to focus on bigger things with bigger payouts. I didn't like spending too much time on the computer and wanted things automated as much as possible. Cybercrime is the most appealing in that regard yes?
Basically I wanted to only work a (6) hour work week. Like many of you I'm sure. An hour a day I thought is reasonable. LOL.
Thinking about being able to code any program, RAT, or other malware from scratch was a daunting task to even fucking think about when I was first starting out. For many of you too I'm sure. Programming doesn't come naturally for me and we all have our technical limits of what we're able to code and technically comprehend. Generally speaking, that shit requires you to be academically smart in mathematics, computer science, cyber security, programming, etc. while being able to sit at a computer typing your heart away with your eyes wide open for long periods of time.
There you are typing away for hours, months, or even years while still reading through textbook after textbook and taking online course after online course just to get yourself to a certain level of programmer or hacker. Right? Learning how to be a full-on hacker piece of trash skid like myself right up to advancing to a wizard hacker level. What I'm trying to say is that learning everything takes time and you have to have the smarts to do it.
Not everyone is going to be able to become wizard level so understand where you fit in, know your limits, and what is going to be reality for you.
In a nutshell if you can't program something yourself then buy what you need from someone else you can program.
Try to keep in mind most of the people studying at HackTown today probably still have a job, have a family, bills to pay, do drugs, etc. and time is a valuable thing. So the amount of time you're going to need learning how to code plus on top of that juggling those other life commitments is going to be hard for most people. Who the fuck knows when you're actually going to get around to learning everything needed to program your own shit or to be at a level where you can read through other people's source code on your own.
But don't worry I truly thought that too.
You see, I'm not retarded and I had a little background in computers. I had funny interests in the computer world. Like all of you reading this do too. I knew there were programming languages and that's what you need to learn in order to create the next banking trojan and go wild on people. Plus, I was aware of how cybercriminal hacking maniacs were making their money. It makes sense right? If you're interested in robbing a bank then pay attention to the news and see how others are robbing a bank. Are they getting caught? Did they get away with it? How did they do it? Is there money to be made? Is this something I can do successfully?
I was already taking a Cyber Security degree at the time plus I was already into carding and some other fraud shit so I had some background in that which I think gave me an edge with everything looking back on how I developed into a full time cybercriminal. I just needed to learn those specific hacking skills that I was lacking at the time. I found out quickly that if I didn't know how to do something I knew I could pay someone who did. I didn't need to know how to perform SQL injections on websites to gain access to a DB. I just needed to know someone who could do that for me and who would sell me cheap accounts, CCs, etc.
Trying to learn how to program in C/C++ blew my brains out. Like right out of mind. I think it's fair to say anyone coding in C/C++ on a part time basis is probably blowing their brains out daily using it.
So I found out for me learning those types of programming languages wasn't going to work for me at all. I didn't have the patience nor did I have the time to dedicate to learning it. That wasn't going to fucking happen. I was losing everything around me and needed to make money. Pronto.
This was my push into programming. I was lurking through a forum I used to frequent, that's long the fuck gone now, and came across a post about ransomware and how to make money from encrypting sensitive documents and crippling networks to receive payouts through cryptocurrency. It was more of like a brain storming session I'd say and many peoples chimed in on the post with their opinions on the matter with programming advices on how to accomplish it all. I friended the OP immediately and begun hurling 99 questions to this individual while I was frothing at the mouth with excitement. This could change my fucking life!
Now you must remember this is back in time. This was at a time when ransomware wasn't widely known as it is today let alone people knowing anything about social engineering, sophisticated phishing attacks, SIM swapping, etc. and the general public was basically cybersecurity retarded. Way more than people are today. Anyways, as soon as I heard of the ransomware concept I knew this is where I needed to focus my time and efforts. I continued to talk with the hacker on the forum who eventually directed me to purchase their ransomware which at that time was for sale on AlphaBay (old AlphaBay).
I went ahead and purchased it and begun the process of selecting my targets to see if:
A) the ransomware I bought even worked.
B) if I was actually able to make any money from this shit.
I targeted (10) businesses via email with malicious Word documents boobytrapped with this ransomware and specifically crafted for each business with professionalism (SE skillz). The return of investment (ROI) was the best I've experienced through cybercrime since I was requesting $750 USD as payment to "decrypt" their files once I infected them. I was paid initially by (3) people which climbed to (6) within a few days of launching the campaign. Time on task was reasonable for me too. I spent a few hours researching my targets and about (30) minutes crafting the emails needed to social engineer the sheep peoples I was targeting to open my Word attachment. At the time malicious Word documents was the choice of every attacker operating out there so it was easier to social engineer the people I was after. I feel for a lot of you reading this since it's a bit harder these days to deliver malware to people but don't worry you'll be learning the newest methods used today in the next chapter. However, make no mistake it truly comes down to your tradecraft. And by tradecraft I mean social engineering and the malware being used.
Getting back on track......? I realized I didn't need to put a lot of effort into running my cybercriminal empires and the ROI was perfect for me. In no time I became some sort of cyber vigilantly private investigator who earned their money into tricking people into opening an email attachment at a business I didn't like. Like an absolute psychopath with a dope fueled mindset I selected my targets carefully, emotionally, and was financially motivated to follow through my actions since the more I infected people with this ransomware the more money I made. I went after organizations that bothered me emotionally or ethically in some way or I'd see some bullshit advertisement billboard that "upset" me and I'd target them. I always kept in the back of my mind that the targets I was trying to infect HAD to care about their data personally or professionally. I was %100 sure their data was valuable to them which is why I picked them. Understand?
But what type of targets Funshine?!?
Plastic surgery clinics, abortion clinics, known racist organizations/businesses, and a whole bunch of other places that annoyed me is how I selected my prey. Any businesses you guys deem terrible in your mind is how I selected my targets at one point which was the most successful for me personally. Probably because I made it personal so that helped with social engineering my target with the proper lingo and interest. Hmm. The more I think about it if you're a nutter like myself it could go terribly the other way too. Hmmmmmm. What I mean is that some of you reading this might use the skills learned here against the total opposite targets I went after. Like some maniac learns everything and then are targeting the complete opposite in what I believe in with ransomware or some crazy ass malware campaign. The anti-hate groups or pro-life organizations are being targeted by some of you fucks. DAMN. LOL. I mean maybe? Right? My god man with great power comes great responsibility.
Fucks sake guys I'm re-writing the same paragraphs over and over again and it feels like in an 8 hour period of time is passing doing the same thing on repeat.LOL. Editing along the way might get dropped a lot apologizes comodos but I'm falling apart on the side lines trying to finish this course.
OK NOW let's get the fuck back on track for fucks sake. Where were we. Ohhhhh yessss ransomware. That was my time to shine baby!
But, of course after a period of time infecting people with the ransomware everything got detected by WD/AV and everything basically came to a grinding halt for me. The dream was over. I was bummed out and annoyed so naturally I harassed the malware developer and went on a rant about how disappointed I was in them and their product not working anymore hoping they would make it FUD again for me resolving my maniac problems. Of course, they would make it FUD again they told me. For a fee. Naturally right?
Well as my life goes I got sucked down to drug land and went on a "minor binge" lasting a surprisingly amount of time, missed rent, lost a friends car, and completely forgot to check my AlphaBay account. By the time I got back around to checking my messages on there apparently the ransomware seller was offering their source code for sale for cheap ish. Not thinking clearly at the time I purchased the source code and had everything I needed to make my own ransomware which turns out was coded in Python and I basically trusted the Vendor %100 everything they were saying was the truth. Tricky and desperate times. Now, the major problem I encountered at the time was I had no fucking idea how to read or code anything in Python. Perfect. Just perfect. The person selling it to me said the code was bad but functioned with a lot of "lols" written in their reply which explained a lot but I would't realize why until later on once when I learned Python.
I began browsing through the source code. I didn't understand most of it but I knew enough to know a little. I decided to stop reading it and to finally teach myself how to program in Python right there and then. I knew this product worked and I knew with the building blocks to work with I could use it for my own purposes. I took one of the many courses offered online for free and read through a few recommended textbooks on Python. No different than any of you who want to take an online course for any programming language you want to learn. Honestly, all I wanted to learn was the basics and be able to somewhat read through other people's source code and change things. If I didn't understand something at least I would have the ability to know where to get the information I was looking for.
My goal was to be at a programming level where I was able to crawl through the source code of the ransomware I purchased, make it FUD, functioning, and modified to my liking. It was a race against time knowing eventually my coding ability would not be effective against modern day AV but surprisingly some techniques still work today. Fast forward 5 years from that point and everyone knows what ransomware is. It's a hot topic these days.
It took me about 5 months to get to a level where I was feeling somewhat confident in what I was doing and copying code from other peoples projects I came across online that I found useful. The good news was that the Python ransomware source code I purchased was coded in a way that was so ridiculously basic but realistically it was right on par to where my coding ability was at the time. It all worked out.
Day after day I slowly made my own Python ransomware but I eventually encountered a major problem. I hit my coding ability (at the time) and was unable to advance due to my lack of knowledge and skid like coding ability. I was ashamed. I had the ransomware running again but I couldn't encrypt the files properly and was getting errors in my code that I was unable to get around. It was beyond my technical ability and at the time I felt hopeless about it all. Like a fool who wasted so much time on some golden goose that didn't exist yet again in the cybercrime underworld! Fuck!
I felt defeat.
Weeks went by with trying to get around the errors and giving up at various moments until I came across a code example on Stackoverflow (where else right?!) that contained what I was looking for. HOORAY mother fuckers! I copied it over, tested my ransomware, and thought my battle was won. But then. THEN. My ransomware was flagged by Windows Defender and only worked %100 on macOS. My heart sunk. It was over. Again. Finished. Loserville.
Now what. Do I need to fucking teach myself how to evade Anti-Virus?! Can I do this?! I don't have time for this. OK FINE! Let's do this. So I went off and taught myself everything there is to know about AV that was within my intellectual capacity, that I could understand, and retain what the fuck I was reading. Basically everything you know about AV in this course is my knowledge base surrounding it. I'm sure you can take it to autism level and know everything but for cybercriminals of our calibre this is what you need to know.
I could understand AV now. I could see it all.
I learned that the AV is probably looking for specific things within my code that are seen in other pieces of known malware which is why it was getting flagged by WD. Of course my shit is being flagged because everyone was basically using the same code in their ransomware at the time and what kind of program encrypts every file as quick as possible finally ending with opening notepad.exe hmmmmmm? That's a little suspicious right? So I thought maybe I need to slow down the encryption process so it doesn't appear to be suspicious or re-code this somehow? Made sense at the time.
I was daydreaming about how I was going to tackle the problem on and off over a week's time. Fuck man this is going to take some time for me to figure out. AND THEN. I thought maybe I just need to look like a human being who is using their computer with a program they coded that simply "moves" their files around. What are the commands you would use in Command Prompt that would move XYZ files around? Like someone automating some function on their computer and coding the process to move files automatically for them. Moving their files around I thought? Hmmmmm. What if I just re-coded my "ransomware" in a way that all it did was move specific files to a hidden folder on the computer and displayed a prompt to the user that their shit was encrypted with ransomware? Would that work?!
Off I went like a fucking maniac re-coding my ransomware just to move specific files with specific file extensions to a folder hidden within the target computer to trick people into thinking they were infected with ransomware and the only way to get all of their files back was to pay a fee. Perfect!
I figured that when the victim was presented with the ransom screen I'd design the ransom note in a way that includes references and logos to other well-known pieces of ransomware already circulating around. Logos or texts that the top dogs were using I copied and put on my shit. I did whatever was needed to advance social engineering my targets into doing what was required. My thought process was that if the victim were to Google the ransomware they were "supposedly" infected with they would come across real articles about the actual real ransomware which in turn would increase the social engineering on them more into my mind game trap. Tricking them into thinking they were infected with some professional ransomware where the reality was my shity piece of malware was what they were dealing with.
"OH SHIT I've been infected by XYZ ransomware I better pay up"
Just because someone is told that they're infected with ransomware doesn't necessarily mean that they actual are. These days no one knows what's what as there's fake news all over the god damn place. Fake news everywhere. Anyways, I realized I didn't need to be a wizard programmer to figure this shit and realized earlier on that I just needed to make someone believe whatever it is I tell them is true. What's that word again? Oh yes, I need to SOCAIL ENGINEER them.
In 5 months I taught myself the very basics of Python, went through malware source code, modified it to my needs, and made a fuck ton of money. 5 MONTHS!
I understand not everyone is going to be able to code on their own but if you can't code on your own than you have to buy what you need. It's that simple. Stop over thinking it and pick one way or the other and move past it. You're not aiming to be the top programmer working over at Google. You're trying to make money as a cybercriminal. Don't get it confused spending too much time trying to learn something to the extreme because you don't need to shoot for the moon.
Just find where you fit in with the cybercriminal career path that is best suited for you and go full tilt into it.
Most of the malware that's being spread around town these days is done so through either by emails with attachments via phishing emails or social engineering your target(s) to downloaded and open XYZ file on your behalf. You'll see a lot of other cybercriminals uploading their malicious files to OneDrive, Google Drive, and other hosting services so that their victims can download the files with ease and confidence. It all depends on how you want to operate but using third party hosting providers that are well known and recognized by the "average" person may help trick them into thinking everything is legit.
Sharpen your claws by re-reading ACTVI to understand of how to approach your targets.
Read the articles below and as always don't get hung up on shit that's over your head but instead focus on how the attack was performed, what types of files were sent to the victims, and how the malware was finally executed.
You should by now have picked up on how other hackers are using specific files to send to their targets with the common themes being .zip, .rar, and .iso files being used. Right? You've read this plenty already I'm sure. Why do hackers use these types of files for their malware delivery mechanisms? Well, those types of files (as any file that's downloaded) gets flagged with something called Mark-of-the-Web (MOTW) but the files stored within some of those files do not. Files that don't get flagged with MOTW are important to know and understand.
I left this piece of information until last assuming by now know you know you need to evade AV, get around Windows SmartScreen, and have learned much about how other threat actors are compromising their targets and what files they're using to be successful.
I know you know all about AV, Windows SmartScreen, blah blah blah but you should know about Mark-of-the-Web (MOTW) too..
This is important to know because a lot of attackers these days are using specific filetypes to deliver their malware to their intended target(s) that aren't flagged as MOTW. By leveraging these types of files helps to execute their malware and bypass Windows SmartScreen. It's been a big shift in tradecraft for most threat actors out there since using malicious Microsoft documents is no longer an option.
What's important to take away from MOTW is that the files that DO NOT have the MOTW attribute on them can execute much easier on a target computer then the files that have the MOTW on them. Basically, if they aren't marked with MOTW then Windows SmartScreen will ignore them which is ideal for us.
Every file that is downloaded to your computer either from your web browser, email attachments, etc. gets flagged with the MOTW attribute and are under much more scrutiny from Windows SmartScreen then those that are not flagged with MOTW. Files flagged with the MOTW attribute are treated just as any file from an untrusted location on your computer such as the internet or Restricted Zone.
Certain files do not get flagged with the MOTW attribute such as some files stored within a container type file type such as .zip, .rar., and .iso.
OK so you know now that you're delivering .zip, .rar, and .iso files either by email attachments or hosted on a website that would appear normal to your targets so they can download it. Within those files you will have your malware stored either in .exe or .dll form which will be launched through other techniques like a .lnk file or through HTML smuggling.
At first you think "My fucking god how many people fall for this bullshit", right? The reality is that Social Engineering plays a huge part in success (we've gone over this a thousand times by now) and it's important that your emails are crafted in such a way that appear professional and on point. There are many Advanced Persistent Threat (APT) groups out there utilizing these methods with success against major industries, governments, and people so don't underestimate these type of attack surfaces. The more you practice and set everything up for your attacks the better you'll get at them.
Remember to clone the target website, appear as someone they know or trust via email, and use everything you've learned in ACTVI to give yourself the best chance of success!.
To solidify how successful these delivery methods are go ahead and read through the articles below. If anything is too technical or over your head just glaze the fuck over it. The point of you reading through the articles is for you to see how other sophisticated threat actors are using these methods of malware delivery and how you can too! These methods do indeed work. Are they %100 successful each time? No of course not but copying how others are operating so you can pursue your targets is where we fit in.
OK now that you know MOTW and why others use those specific files as a delivery mechanism let's continue on.
Malware Delivery Mechanisms
After reading through every article you were supposed to read within this course you should be familiar with how other professional hackers are approaching their targets by sending a .ISO, .ZIP, and .RAR files usually executing malware with .LNK files, HTML smuggling, and social engineering attacks. You can include these types of files in an email attachment but it's better to host them on well-known third party hosting services and social engineering your targets to download them.
Let's educate ourselves a bit on these topics before learning exactly how to execute these attacks.
Social Engineering
This is VERY important. Do not underestimate the power of this life skill. There are plenty of resources found on Google, YouTube, and textbooks. Take the time to learn it.
You should continue to pursue studies in sociology, psychology, and pay attention to what other hacker maniacs are doing out there in the wild.
.ZIP files
A .zip file is a single file containing one or more compressed files which is ideal when making large files smaller and keeping multiple files together into one single file. With a compressed .zip file you can store a single or multiple files into one archive which will make the overall file size much smaller while still retaining the original data and quality.
.zip files are good because you can:
[*]Compress larger files to reduce the file size.
[*]Send multiple files by putting them into (1) file to send by email, download, etc.
[*]Password protect the .zip file and its contents.
From our point of view we like .zip files because we can zip all of our malware files into a (1) .zip file while password protecting the .zip file preventing the contents of it from being viewed or scanned by AV.
Adding a password to the .zip file ensures no one can play peak-a-boo with the malicious files inside or get them flagged by AV burning your operations ahead of schedule. If you social engineer your target properly then only your target will have the password to open the .zip file.
As always, I cannot stress enough that social engineering is very important and how you approach your target, the pre-text you use, websites registered, where the email comes from, where you host the file, etc. all matter and will dictate your chances of success! Aim to be your own level of APT!
.RAR files
The RAR file format is shortform for the Roshal Archive Compressed file which is a compressed archive from WinRAR. Files that use the .rar file extension are compressed files that make it easier for people to share files over the Internet via email or whatever just like .zip files. For example, if you needed to email multiple file attachments to someone you can compress all the files into a single RAR file and just send one file to your target(s) instead of many. This is not rocket science.
These .rar files are very similar to ZIP files but have different compression algorithms often resulting in smaller sized files. Like Zip files, RAR files can be encrypted with a password to help conceal the malware treasures inside it and help to avoid AV.
Again, from our perspective we're interested in .rar files for the delivery of our malware to our target(s) and password protecting the .rar file so no one can access the juicy files within without the password.
Whether you're using a .zip or .rar file the importance is focused on social engineering your target to download the file and providing them the password in the corresponding emails all while being a professional throughout your operations.
ISO files
As you've learned from reading the articles within this course that other cybercriminal maniacs are using .iso files as a transport mechanism for their malicious files which are all stored within the .iso image itself. Just like ZIP and RAR files you can have multiple files within one .ISO file making it a perfect candidate for a delivery mechanism for malware.
The term "ISO file" or "ISO image" goes back to the standardized format ISO 9660 or 13346 for CD-ROM media and stands for the identical storage image of optical media. An ISO file is meant to contain all the same data that you would transfer when copying data to CD, DVD, or Blu-ray. Unlike other archive files such .zip or .rar that compress their files the .iso image is not compressed but is exactly the same as the original files in terms of size, structure, permissions, and metadata.
An ISO disk image doesn't propagate the so-called "Mark of the Web"" to the files located within the .iso itself so even if the ISO were downloaded from the internet no warning would be displayed to the victim when the files inside are executed. These include files within archives such as ISOs which is great since we can hide our malware within the .iso itself!
A lot of hackers use .iso files to avoid detection since most AVs usually tend to ignore this type of file but as more and more attackers use these type of methods it'll be a matter of time until .iso files get scrutinized more heavily from a cybersecurity perspective.
Moving along.... Windows 8 and above integrate the mounting functionality of an .iso file directly into Windows Explorer which means anyone can mount an .iso file as a virtual drive super easy just by double-clicking the .iso file itself. Any time that we can get someone to double-click something this is the best because that means our victims are a double-click away from being fully compromised and having their computer infected.
The common theme among cybercriminal gangs, government hackers, etc. is they include their malicious files within the .iso file so that once the victim has mounted the .iso file they can easily navigate to the other files in order to infect themselves with malware.
As you've read many attackers are using .lnk files within the .iso file which relies heavily on social engineering to be successful.
We'll quickly touch on an example seen in the wild and then after that we're going to talk in detail about the importance of using .lnk files to launch our malware. Let's take a look.
An attacker has send an email with an attachment "Payments.iso" to an employee at a place of business they're targeting. Once the target downloads and double clicks on the .iso file they are presented with a new window that displays the virtual drive of "Payments.iso" and the files within it. Within the "Payments.iso" file there are (2) other files named "Attachments.lnk" and "documents.log" as seen in the screenshot below.
The "Attachments.lnk" file had its icon changed to a that of a folder for to deceive people into double clicking it thinking that it was actually a folder. By them doing so will launch another file which either executes the malware or downloads what's required in stages/modules. As you can tell from the screenshot above that the files are named in such a way that would entice the target to open them. Your email would be worded in such a way that those filenames are what the target would be expecting given your conversations with them beforehand. Social Engineering is VERY fucking important ladies and gentlemans so do not overlook this as SE skills are needed.
The "Attachments.lnk" is a shortcut file that when doubled clicked will execute this command:
C:\Windows\System32\rundll32.exe documents.log,vspa
Once the victim double clicks on the .lnk file the command executes the Windows rundll32.exe application to launch the "documents.log". Since it's using "rundll32.exe" to launch the file we know that "documents.log" is actually a .DLL file that's renamed to a .log file. You can have the shortcut file launch .DLL files and .EXE files with ease and without difficulties so depending on how you're delivering your malware you'd adjust accordingly.
You understand that you're delivering your malware in one of the three deliver transport mechanisms that we just talked about that being .zip, .rar, or an .iso file. Let's now learn what files are stored within these transport mechanisms that are used to execute our malware so we can understand the current threat landscape.
LNK files
A .LNK file is simply a Windows Shortcut file.
The .lnk file extension is commonly referred to as "link files" or "desktop shortcuts". These files are usually associated with Windows and typically point to a .exe or .dll file located somewhere else on the computer. These files can be useful when you want quick access to an application you frequently use but don't want to navigate to the file directory each and every time you want to launch that program.
For example, I'm constantly launching my own C&C server located at C:\Users\Funshine\Program Files\Program\Build\Malware.exe. Instead of always clicking through the directories or navigating to it directly through the command prompt to launch my program I can create a shortcut file called Shortcut.lnk, change the icon as I see fit, and re-direct the shortcut file to "C:\Windows\Program Files\Program\Build\Malware.exe". That way you can have the Shortcut.lnk on your desktop and double-click that to launch whatever file to speed things up. Somewhat automated things yes?
When you double click a .lnk shortcut file it will launch the program that's associated with the .exe or .dll file that the shortcut refers to. Easy. Make sense?
We use these files to infect our targets with malware that are within a .ISO, .ZIP, or .RAR file which is our transport mechanism. All good, still with me?
This is just one of the ways to help social engineer your targets into infecting themselves. Let's take a look at another way to launch malware within one of the transport delivery mechanisms.
HTML smuggling
HTML smuggling is a malware delivery technique that leverages legitimate HTML5 and JavaScript features and is increasingly being used by other threat actors to deploy banking malware, remote access Trojans (RATs), and other malware to victims faces.
As the name suggests HTML smuggling lets an attacker "smuggle" an encoded malicious script within a specially crafted HTML attachment or web page. When a target user opens the HTML in their web browser the browser then decodes the malicious script resulting in the payload getting onto the host device. This technique is nice because instead of having a malicious executable download directly over the network we can "build" the malware locally on the computer from the .html file.
We use HTML smuggling to infect our targets with malware that are within a .ISO, .ZIP, or .RAR file which is our delivery mechanism for the malware we intend on sending. No different than everything else we've been talking about up until this point.
HTML smuggling is not complete. It will be finished in the very near future! I'll post an update about it when it is.
We know that malicious Microsoft Word documents are no longer an option which is OK since we're still able to deliver malware using various transport mechanisms. It's important to understand that social engineering is vital along with preventing AV from detected the malware being used.
Now that you have an understanding of some of the malware transports mechanisms and thier potential it's time to teach you how to accomplish it all so you can replicate the attacks talked about throughout the course.
Let's get into it.
But before we do that it's good to test all of these techniques out on yourself using your Windows 10 VM you have already setup and ready to go to see how it all functions. That way you can see what the people you will be targeting see when double clicking on a .zip, .rar, and .iso file. You will appreciate what your target(s) will have to go through when beign social engineered to infect themselves with malware.
First things first. Let's fire up a fresh fully updated Kali VM so you can follow along with ease. We're going to use Kali to create our .zip, .rar , and .iso but there are so many programs out there you can use so feel free to use other ones you deem good for yourself if you know others. Keeping it easy for everyone we'll be using Kali.
Creating a RAR file
In your Kail VM type:
sudo apt-get update && sudo apt-get dist-upgrade -y
sudo apt-get install rar
cd ~
echo 1>1.hacktown
echo 2>2.hacktown
rar a -hp Test.rar *.hacktown
This is how you would use RAR to put your malware files into a single .rar file that is password protected. You will need to advise your target(s) of the password so they can access its contents which is usually done through social engineering via email, documents, websites, etc.
Creating a ZIP file
In your Kail VM type:
sudo apt-get update && sudo apt-get dist-upgrade -y
cd ~
echo 1>1.townhack
echo 2>2.townhack
zip a -e Files.zip *.townhack
Pretty straight forward syntax on how you would use ZIP to put your malware files into a .zip file that is password protected. You will need to advise your target(s) of the password so they can access the contents which is usually done through social engineering via email, mobile, documents, websites, etc.
Creating an ISO file
In your Kail VM type:
sudo apt-get update && sudo apt-get dist-upgrade -y
sudo apt-get install genisoimage -y
cd ~
mkdir Test
cd Test
echo 1>1.hacktits
echo 2>2.hacktits
cd ~
genisoimage -o File.iso -V BACKUP -r -j ~/Test/*
This is the syntax you would use when creating an ISO. Put whatever malware files into a directory and then make an image file of that directory so it's easier to transport your malware in.
Alright so now you know how to put your malware files into one of the malware transport delivery methods talked about. Let's learn how to execute your malware through .lnk files that you will place into a .zip, .rar, or .iso file using some trickery to fool them into executing your malware.
Creating a .lnk file
Let's start a fresh fully updated Windows 10 VM so you can continue to follow along with ease. Always make sure you're using a fresh VM every time when going through each tool or technique for the first time and remember to take a snapshot of your updated Windows 10 VM before attempting to follow along. That way you can just re-vert to the updated machine each time with ease in case you fuck things up. Once you master everything you can do whatever you like. You'll figure it out.
We're going to create a folder on our Desktop named "TEST" and then copy the calc.exe file into it. We're going to use the classic "calc.exe" as our example malware file so we know when the calculator program launches through the .lnk file this is exactly how it would work when executing any malware.
In the command prompt:
cd C:\Users\%USERNAME%\Desktop
mkdir TEST
copy C:\Windows\System32\calc.exe C:\Users\%USERNAME%\Desktop\TEST
cd C:\Users\%USERNAME%\Desktop\TEST
move calc.exe resume.exe
Navigate to the TEST folder and create a new shortcut which will be called "resume - Shortcut.lnk".
In the command prompt:
cd C:\Users\%USERNAME%\Desktop\Test
move "resume - Shortcut.lnk" Files.lnk
Right click on "Files.lnk" and click on "Properties". First, let's change the icon to an image of a Folder to trick our victims into thinking that there's a Folder for them to double click on to see what's inside. Click on "Change Icon...". Once there enter the directory of "%SystemRoot%\System32\SHELL32.dll" and click OK. Navigate to the Folder icon then select OK.
There are plenty of icons here you can choose from and if you want a specific icon to use then you can download any .ico file from the interwebs to incorporate into your madness. Google is your friend.
Now we have the files needed to send to our victims or we can upload them somewhere to have our victims download. We can now choose to use .zip, .rar , or put them into an .iso file to deliver to our targets of interest.
Let's do some variations with .lnk files to show you what's possible.
In the command prompt:
cd C:\Users\%USERNAME%\Desktop\Test
move resume.exe resume.txt
Now back into the folder and right click on "Files.lnk" and click on "Properties". Leave the "Start in:" portion blank as seen in the screenshot below and in the "Target:" section paste in what's below and click "Apply" and then OK.
C:\Windows\System32\cmd.exe /c start resume.txt
As you can see the files in your C:\Users\%USERNAME%\Desktop\Test appear to be pretty innocent don't they? You have a Folder and a text file that appears all normal. We've renamed "resume.exe" to "resume.txt" so our victim thinks there's a text file for them to open and read the contents. It doesn't matter what file extension we give our malware since we're using "cmd.exe /c" in the .lnk file which is telling the computer to execute the program as an executable regardless of the file extension. You can rename "resume.exe" to "resume.jpg" and on and on if you choose to do so.
Let's take another look at .lnk files and how we can leverage them for our cybercriminal operations.
Here's my example. I've selected my target and I'm ready to actively engage them. I have registered a domain that appears legitimate to the naked eye and have emailed my target regarding a complaint I have about their store and the racism I received when I was there. Which is all lies. I'm simply touching a nerve with the employee and SEing them into my trap. I tell them how I was poorly treated by one of their staff members, I would like an investigation launched into that employees conduct, an apology, or else I'm taking everything to the local media. I tell them I recorded a video on my cell phone of everything that happened to me and have provided the video to them in my email.
It goes a little something like this.
Below is the contents of my email to my target:
Hello General store manager, I was at your place of business on January 20, 2023 and was treated very poorly by one of your staff. I was having trouble choosing my shoe size when one of your employees muttered a racial slur under their breath while I was trying to make up my mind on which shoes to purchase. I pulled out my cell phone and immediately started filming their behavior as I was feeling threatened at the time. Your employee continues to insult me using racist slurs causing me to leave your store.
I felt so hurt and told myself I would never come back into that store until my friend convinced me to file a complaint on that employee. Thankfully I kept the video which clearly shows your employee doing this to me and have included it in this email.
I hope you will view it and take some sort of action or I will be going to the local media with it.
I've uploaded my documents to Google Drive for ease of download. The password to the file is "PASSWORD".
https://drive.google.com/download=?Files.zip
Please let me know if there's anything else you need to get this situation resolved before I bring it to the media.
Sincerly,
Kin Shu Yu
I have zipped up my malware and hosted it on Google Drive for them to download and open. I've given them the password to the file so my victim has everything they need to infect themselves with. Once my target unzips the file they will see the other files as seen in the screenshot below.
As you can see I've renamed my executable to "Recorded_Video.avi" and included my .lnk file that I've changed the icon to a Folder and named it in such a way that would entice my victim to click on it!.
This is how you deceive people into executing your malware through .lnk files. There are so many possibilities and different way to social engineer your targets using this method.
You're now capable of creating your own .iso, .zip, or .rar file with your malware housed within. Whether you choose to use .iso, .zip, or an .iso to deliver your malware is up to you. Whatever way you SE your target will dictate what type of file you use to infect them with.
You can bet these methods will be useless one day but if there's something I've learned along my cybercriminal travels is that when one thing get shuts down it opens up something somewhere else that can be learned and used. Always stay in the know my friends!
Everyone will try and tell you to use a specific programming language when coding your own piece of malware but in the end it's what works for you and what will actually work in real life. For me personally I used Python to create a RAT and made my own custom piece of ransomware based on someone else's work that got the job done without problems on Windows and macOS computers. I know most of you are laughing your heads off screaming "FUCKING SKID USING PYTHON LOL" and most of the clowns who are mocking me are probably preaching to everyone that they must code malware in C/C++, ASM, or some shit but the reality is I taught myself Python in about 4-6 months and was launching my own ransomware campaigns that were capable of bypassing AV out of the box. Who the fucks cares? The piece of malware I coded in Python worked exactly how I wanted it to work and I profited a fuck ton from that so you can laugh all you want. Don't pay attention to the haters. Haters gonna hate so find what works for you.
I do plan on releasing the source code to the Frankenstein ransomware I created (comes with a builder and is super fucking easy to use) that way people can learn from the code and/or use it as they see fit. Future things. It's outdated to fuck but it shows that with a little dedication and hard work you can learn how to code your own piece of malware. Honestly, the code for the ransomware is very basic and was done that way for a reason. Anyone reading through my code should understand everything it does without difficulties and there's no fuckery afoot. It's terrible code and anyone who programs can laugh in my face but the point is that it worked.
Many other pieces of Python malware have worked in the past but let's face it their code is much better than mine.
This Chapter is all about encouragement, positivity, randomness, and probably having you read through all my non-sense but really it's about hearing a little story of mine to motivate you.
For many of you that are studying at HackTown you're probably asking yourself "How long is it going to take me to actually learn all of this?", "When can I make my millions and fuck off??", "How much am I going to spend on this?", etc.
Well... Listen to my story as I hope it gives people the motivation needed to push themselves and to continue on with educating yourselves on the topics that you're interested in. Which, we all know is crime. Pure crime.
Let's rewind in time to a place in time where I was in my life. Bring it back in time baby.
As you know I dabbled in many cybercriminal operations ranging from carding, running online scams and fraud, hacking, and compromising people and businesses for profits. I was really all over the cybercriminal landscape of careers trying to find my groove and what I was good at. It first started off with a lot of reading and studying about the topics that interested me, just like you're doing now. I started out just like everyone else at ground zero and worked my way up over time to where I was able to pop life in neutral and coast into the sunset. Although, not without some bumps in the road here and there with wasting time on getting a useless degree in Cyber Security and briefly working within that field which sucked ass. But life is all about the journey.
I soon realized that with my knowledge, skills, amount of free time available, time on task, opportunity costs, money, etc. I needed to focus on bigger things with bigger payouts. I didn't like spending too much time on the computer and wanted things automated as much as possible. Cybercrime is the most appealing in that regard yes?
Basically I wanted to only work a (6) hour work week. Like many of you I'm sure. An hour a day I thought is reasonable. LOL.
Thinking about being able to code any program, RAT, or other malware from scratch was a daunting task to even fucking think about when I was first starting out. For many of you too I'm sure. Programming doesn't come naturally for me and we all have our technical limits of what we're able to code and technically comprehend. Generally speaking, that shit requires you to be academically smart in mathematics, computer science, cyber security, programming, etc. while being able to sit at a computer typing your heart away with your eyes wide open for long periods of time.
null
There you are typing away for hours, months, or even years while still reading through textbook after textbook and taking online course after online course just to get yourself to a certain level of programmer or hacker. Right? Learning how to be a full-on hacker piece of trash skid like myself right up to advancing to a wizard hacker level. What I'm trying to say is that learning everything takes time and you have to have the smarts to do it.
Not everyone is going to be able to become wizard level so understand where you fit in, know your limits, and what is going to be reality for you.
null
In a nutshell if you can't program something yourself then buy what you need from someone else you can program.
Try to keep in mind most of the people studying at HackTown today probably still have a job, have a family, bills to pay, do drugs, etc. and time is a valuable thing. So the amount of time you're going to need learning how to code plus on top of that juggling those other life commitments is going to be hard for most people. Who the fuck knows when you're actually going to get around to learning everything needed to program your own shit or to be at a level where you can read through other people's source code on your own.
But don't worry I truly thought that too.
You see, I'm not retarded and I had a little background in computers. I had funny interests in the computer world. Like all of you reading this do too. I knew there were programming languages and that's what you need to learn in order to create the next banking trojan and go wild on people. Plus, I was aware of how cybercriminal hacking maniacs were making their money. It makes sense right? If you're interested in robbing a bank then pay attention to the news and see how others are robbing a bank. Are they getting caught? Did they get away with it? How did they do it? Is there money to be made? Is this something I can do successfully?
I was already taking a Cyber Security degree at the time plus I was already into carding and some other fraud shit so I had some background in that which I think gave me an edge with everything looking back on how I developed into a full time cybercriminal. I just needed to learn those specific hacking skills that I was lacking at the time. I found out quickly that if I didn't know how to do something I knew I could pay someone who did. I didn't need to know how to perform SQL injections on websites to gain access to a DB. I just needed to know someone who could do that for me and who would sell me cheap accounts, CCs, etc.
Trying to learn how to program in C/C++ blew my brains out. Like right out of mind. I think it's fair to say anyone coding in C/C++ on a part time basis is probably blowing their brains out daily using it.
So I found out for me learning those types of programming languages wasn't going to work for me at all. I didn't have the patience nor did I have the time to dedicate to learning it. That wasn't going to fucking happen. I was losing everything around me and needed to make money. Pronto.
This was my push into programming. I was lurking through a forum I used to frequent, that's long the fuck gone now, and came across a post about ransomware and how to make money from encrypting sensitive documents and crippling networks to receive payouts through cryptocurrency. It was more of like a brain storming session I'd say and many peoples chimed in on the post with their opinions on the matter with programming advices on how to accomplish it all. I friended the OP immediately and begun hurling 99 questions to this individual while I was frothing at the mouth with excitement. This could change my fucking life!
null
Now you must remember this is back in time. This was at a time when ransomware wasn't widely known as it is today let alone people knowing anything about social engineering, sophisticated phishing attacks, SIM swapping, etc. and the general public was basically cybersecurity retarded. Way more than people are today. Anyways, as soon as I heard of the ransomware concept I knew this is where I needed to focus my time and efforts. I continued to talk with the hacker on the forum who eventually directed me to purchase their ransomware which at that time was for sale on AlphaBay (old AlphaBay).
I went ahead and purchased it and begun the process of selecting my targets to see if:
A) the ransomware I bought even worked.
B) if I was actually able to make any money from this shit.
I targeted (10) businesses via email with malicious Word documents boobytrapped with this ransomware and specifically crafted for each business with professionalism (SE skillz). The return of investment (ROI) was the best I've experienced through cybercrime since I was requesting $750 USD as payment to "decrypt" their files once I infected them. I was paid initially by (3) people which climbed to (6) within a few days of launching the campaign. Time on task was reasonable for me too. I spent a few hours researching my targets and about (30) minutes crafting the emails needed to social engineer the sheep peoples I was targeting to open my Word attachment. At the time malicious Word documents was the choice of every attacker operating out there so it was easier to social engineer the people I was after. I feel for a lot of you reading this since it's a bit harder these days to deliver malware to people but don't worry you'll be learning the newest methods used today in the next chapter. However, make no mistake it truly comes down to your tradecraft. And by tradecraft I mean social engineering and the malware being used.
Getting back on track......? I realized I didn't need to put a lot of effort into running my cybercriminal empires and the ROI was perfect for me. In no time I became some sort of cyber vigilantly private investigator who earned their money into tricking people into opening an email attachment at a business I didn't like. Like an absolute psychopath with a dope fueled mindset I selected my targets carefully, emotionally, and was financially motivated to follow through my actions since the more I infected people with this ransomware the more money I made. I went after organizations that bothered me emotionally or ethically in some way or I'd see some bullshit advertisement billboard that "upset" me and I'd target them. I always kept in the back of my mind that the targets I was trying to infect HAD to care about their data personally or professionally. I was %100 sure their data was valuable to them which is why I picked them. Understand?
But what type of targets Funshine?!?
Plastic surgery clinics, abortion clinics, known racist organizations/businesses, and a whole bunch of other places that annoyed me is how I selected my prey. Any businesses you guys deem terrible in your mind is how I selected my targets at one point which was the most successful for me personally. Probably because I made it personal so that helped with social engineering my target with the proper lingo and interest. Hmm. The more I think about it if you're a nutter like myself it could go terribly the other way too. Hmmmmmm. What I mean is that some of you reading this might use the skills learned here against the total opposite targets I went after. Like some maniac learns everything and then are targeting the complete opposite in what I believe in with ransomware or some crazy ass malware campaign. The anti-hate groups or pro-life organizations are being targeted by some of you fucks. DAMN. LOL. I mean maybe? Right? My god man with great power comes great responsibility.
Fucks sake guys I'm re-writing the same paragraphs over and over again and it feels like in an 8 hour period of time is passing doing the same thing on repeat.LOL. Editing along the way might get dropped a lot apologizes comodos but I'm falling apart on the side lines trying to finish this course.
OK NOW let's get the fuck back on track for fucks sake. Where were we. Ohhhhh yessss ransomware. That was my time to shine baby!
null
But, of course after a period of time infecting people with the ransomware everything got detected by WD/AV and everything basically came to a grinding halt for me. The dream was over. I was bummed out and annoyed so naturally I harassed the malware developer and went on a rant about how disappointed I was in them and their product not working anymore hoping they would make it FUD again for me resolving my maniac problems. Of course, they would make it FUD again they told me. For a fee. Naturally right?
Well as my life goes I got sucked down to drug land and went on a "minor binge" lasting a surprisingly amount of time, missed rent, lost a friends car, and completely forgot to check my AlphaBay account. By the time I got back around to checking my messages on there apparently the ransomware seller was offering their source code for sale for cheap ish. Not thinking clearly at the time I purchased the source code and had everything I needed to make my own ransomware which turns out was coded in Python and I basically trusted the Vendor %100 everything they were saying was the truth. Tricky and desperate times. Now, the major problem I encountered at the time was I had no fucking idea how to read or code anything in Python. Perfect. Just perfect. The person selling it to me said the code was bad but functioned with a lot of "lols" written in their reply which explained a lot but I would't realize why until later on once when I learned Python.
I began browsing through the source code. I didn't understand most of it but I knew enough to know a little. I decided to stop reading it and to finally teach myself how to program in Python right there and then. I knew this product worked and I knew with the building blocks to work with I could use it for my own purposes. I took one of the many courses offered online for free and read through a few recommended textbooks on Python. No different than any of you who want to take an online course for any programming language you want to learn. Honestly, all I wanted to learn was the basics and be able to somewhat read through other people's source code and change things. If I didn't understand something at least I would have the ability to know where to get the information I was looking for.
My goal was to be at a programming level where I was able to crawl through the source code of the ransomware I purchased, make it FUD, functioning, and modified to my liking. It was a race against time knowing eventually my coding ability would not be effective against modern day AV but surprisingly some techniques still work today. Fast forward 5 years from that point and everyone knows what ransomware is. It's a hot topic these days.
It took me about 5 months to get to a level where I was feeling somewhat confident in what I was doing and copying code from other peoples projects I came across online that I found useful. The good news was that the Python ransomware source code I purchased was coded in a way that was so ridiculously basic but realistically it was right on par to where my coding ability was at the time. It all worked out.
Day after day I slowly made my own Python ransomware but I eventually encountered a major problem. I hit my coding ability (at the time) and was unable to advance due to my lack of knowledge and skid like coding ability. I was ashamed. I had the ransomware running again but I couldn't encrypt the files properly and was getting errors in my code that I was unable to get around. It was beyond my technical ability and at the time I felt hopeless about it all. Like a fool who wasted so much time on some golden goose that didn't exist yet again in the cybercrime underworld! Fuck!
I felt defeat.
null
Weeks went by with trying to get around the errors and giving up at various moments until I came across a code example on Stackoverflow (where else right?!) that contained what I was looking for. HOORAY mother fuckers! I copied it over, tested my ransomware, and thought my battle was won. But then. THEN. My ransomware was flagged by Windows Defender and only worked %100 on macOS. My heart sunk. It was over. Again. Finished. Loserville.
Now what. Do I need to fucking teach myself how to evade Anti-Virus?! Can I do this?! I don't have time for this. OK FINE! Let's do this. So I went off and taught myself everything there is to know about AV that was within my intellectual capacity, that I could understand, and retain what the fuck I was reading. Basically everything you know about AV in this course is my knowledge base surrounding it. I'm sure you can take it to autism level and know everything but for cybercriminals of our calibre this is what you need to know.
I could understand AV now. I could see it all.
I learned that the AV is probably looking for specific things within my code that are seen in other pieces of known malware which is why it was getting flagged by WD. Of course my shit is being flagged because everyone was basically using the same code in their ransomware at the time and what kind of program encrypts every file as quick as possible finally ending with opening notepad.exe hmmmmmm? That's a little suspicious right? So I thought maybe I need to slow down the encryption process so it doesn't appear to be suspicious or re-code this somehow? Made sense at the time.
I was daydreaming about how I was going to tackle the problem on and off over a week's time. Fuck man this is going to take some time for me to figure out. AND THEN. I thought maybe I just need to look like a human being who is using their computer with a program they coded that simply "moves" their files around. What are the commands you would use in Command Prompt that would move XYZ files around? Like someone automating some function on their computer and coding the process to move files automatically for them. Moving their files around I thought? Hmmmmm. What if I just re-coded my "ransomware" in a way that all it did was move specific files to a hidden folder on the computer and displayed a prompt to the user that their shit was encrypted with ransomware? Would that work?!
Off I went like a fucking maniac re-coding my ransomware just to move specific files with specific file extensions to a folder hidden within the target computer to trick people into thinking they were infected with ransomware and the only way to get all of their files back was to pay a fee. Perfect!
I figured that when the victim was presented with the ransom screen I'd design the ransom note in a way that includes references and logos to other well-known pieces of ransomware already circulating around. Logos or texts that the top dogs were using I copied and put on my shit. I did whatever was needed to advance social engineering my targets into doing what was required. My thought process was that if the victim were to Google the ransomware they were "supposedly" infected with they would come across real articles about the actual real ransomware which in turn would increase the social engineering on them more into my mind game trap. Tricking them into thinking they were infected with some professional ransomware where the reality was my shity piece of malware was what they were dealing with.
"OH SHIT I've been infected by XYZ ransomware I better pay up"
Just because someone is told that they're infected with ransomware doesn't necessarily mean that they actual are. These days no one knows what's what as there's fake news all over the god damn place. Fake news everywhere. Anyways, I realized I didn't need to be a wizard programmer to figure this shit and realized earlier on that I just needed to make someone believe whatever it is I tell them is true. What's that word again? Oh yes, I need to SOCAIL ENGINEER them.
In 5 months I taught myself the very basics of Python, went through malware source code, modified it to my needs, and made a fuck ton of money. 5 MONTHS!
I understand not everyone is going to be able to code on their own but if you can't code on your own than you have to buy what you need. It's that simple. Stop over thinking it and pick one way or the other and move past it. You're not aiming to be the top programmer working over at Google. You're trying to make money as a cybercriminal. Don't get it confused spending too much time trying to learn something to the extreme because you don't need to shoot for the moon.
Just find where you fit in with the cybercriminal career path that is best suited for you and go full tilt into it.
Most of the malware that's being spread around town these days is done so through either by emails with attachments via phishing emails or social engineering your target(s) to downloaded and open XYZ file on your behalf. You'll see a lot of other cybercriminals uploading their malicious files to OneDrive, Google Drive, and other hosting services so that their victims can download the files with ease and confidence. It all depends on how you want to operate but using third party hosting providers that are well known and recognized by the "average" person may help trick them into thinking everything is legit.
Sharpen your claws by re-reading ACTVI to understand of how to approach your targets.
null
Read the articles below and as always don't get hung up on shit that's over your head but instead focus on how the attack was performed, what types of files were sent to the victims, and how the malware was finally executed.
You should by now have picked up on how other hackers are using specific files to send to their targets with the common themes being .zip, .rar, and .iso files being used. Right? You've read this plenty already I'm sure. Why do hackers use these types of files for their malware delivery mechanisms? Well, those types of files (as any file that's downloaded) gets flagged with something called Mark-of-the-Web (MOTW) but the files stored within some of those files do not. Files that don't get flagged with MOTW are important to know and understand.
I left this piece of information until last assuming by now know you know you need to evade AV, get around Windows SmartScreen, and have learned much about how other threat actors are compromising their targets and what files they're using to be successful.
I know you know all about AV, Windows SmartScreen, blah blah blah but you should know about Mark-of-the-Web (MOTW) too..
This is important to know because a lot of attackers these days are using specific filetypes to deliver their malware to their intended target(s) that aren't flagged as MOTW. By leveraging these types of files helps to execute their malware and bypass Windows SmartScreen. It's been a big shift in tradecraft for most threat actors out there since using malicious Microsoft documents is no longer an option.
What's important to take away from MOTW is that the files that DO NOT have the MOTW attribute on them can execute much easier on a target computer then the files that have the MOTW on them. Basically, if they aren't marked with MOTW then Windows SmartScreen will ignore them which is ideal for us.
Every file that is downloaded to your computer either from your web browser, email attachments, etc. gets flagged with the MOTW attribute and are under much more scrutiny from Windows SmartScreen then those that are not flagged with MOTW. Files flagged with the MOTW attribute are treated just as any file from an untrusted location on your computer such as the internet or Restricted Zone.
Certain files do not get flagged with the MOTW attribute such as some files stored within a container type file type such as .zip, .rar., and .iso.
OK so you know now that you're delivering .zip, .rar, and .iso files either by email attachments or hosted on a website that would appear normal to your targets so they can download it. Within those files you will have your malware stored either in .exe or .dll form which will be launched through other techniques like a .lnk file or through HTML smuggling.
At first you think "My fucking god how many people fall for this bullshit", right? The reality is that Social Engineering plays a huge part in success (we've gone over this a thousand times by now) and it's important that your emails are crafted in such a way that appear professional and on point. There are many Advanced Persistent Threat (APT) groups out there utilizing these methods with success against major industries, governments, and people so don't underestimate these type of attack surfaces. The more you practice and set everything up for your attacks the better you'll get at them.
Remember to clone the target website, appear as someone they know or trust via email, and use everything you've learned in ACTVI to give yourself the best chance of success!.
To solidify how successful these delivery methods are go ahead and read through the articles below. If anything is too technical or over your head just glaze the fuck over it. The point of you reading through the articles is for you to see how other sophisticated threat actors are using these methods of malware delivery and how you can too! These methods do indeed work. Are they %100 successful each time? No of course not but copying how others are operating so you can pursue your targets is where we fit in.
OK now that you know MOTW and why others use those specific files as a delivery mechanism let's continue on.
Malware Delivery Mechanisms
After reading through every article you were supposed to read within this course you should be familiar with how other professional hackers are approaching their targets by sending a .ISO, .ZIP, and .RAR files usually executing malware with .LNK files, HTML smuggling, and social engineering attacks. You can include these types of files in an email attachment but it's better to host them on well-known third party hosting services and social engineering your targets to download them.
Let's educate ourselves a bit on these topics before learning exactly how to execute these attacks.
Social Engineering
This is VERY important. Do not underestimate the power of this life skill. There are plenty of resources found on Google, YouTube, and textbooks. Take the time to learn it.
You should continue to pursue studies in sociology, psychology, and pay attention to what other hacker maniacs are doing out there in the wild.
.ZIP files
A .zip file is a single file containing one or more compressed files which is ideal when making large files smaller and keeping multiple files together into one single file. With a compressed .zip file you can store a single or multiple files into one archive which will make the overall file size much smaller while still retaining the original data and quality.
.zip files are good because you can:
[*]Compress larger files to reduce the file size.
[*]Send multiple files by putting them into (1) file to send by email, download, etc.
[*]Password protect the .zip file and its contents.
From our point of view we like .zip files because we can zip all of our malware files into a (1) .zip file while password protecting the .zip file preventing the contents of it from being viewed or scanned by AV.
Adding a password to the .zip file ensures no one can play peak-a-boo with the malicious files inside or get them flagged by AV burning your operations ahead of schedule. If you social engineer your target properly then only your target will have the password to open the .zip file.
As always, I cannot stress enough that social engineering is very important and how you approach your target, the pre-text you use, websites registered, where the email comes from, where you host the file, etc. all matter and will dictate your chances of success! Aim to be your own level of APT!
.RAR files
The RAR file format is shortform for the Roshal Archive Compressed file which is a compressed archive from WinRAR. Files that use the .rar file extension are compressed files that make it easier for people to share files over the Internet via email or whatever just like .zip files. For example, if you needed to email multiple file attachments to someone you can compress all the files into a single RAR file and just send one file to your target(s) instead of many. This is not rocket science.
These .rar files are very similar to ZIP files but have different compression algorithms often resulting in smaller sized files. Like Zip files, RAR files can be encrypted with a password to help conceal the malware treasures inside it and help to avoid AV.
Again, from our perspective we're interested in .rar files for the delivery of our malware to our target(s) and password protecting the .rar file so no one can access the juicy files within without the password.
Whether you're using a .zip or .rar file the importance is focused on social engineering your target to download the file and providing them the password in the corresponding emails all while being a professional throughout your operations.
ISO files
As you've learned from reading the articles within this course that other cybercriminal maniacs are using .iso files as a transport mechanism for their malicious files which are all stored within the .iso image itself. Just like ZIP and RAR files you can have multiple files within one .ISO file making it a perfect candidate for a delivery mechanism for malware.
The term "ISO file" or "ISO image" goes back to the standardized format ISO 9660 or 13346 for CD-ROM media and stands for the identical storage image of optical media. An ISO file is meant to contain all the same data that you would transfer when copying data to CD, DVD, or Blu-ray. Unlike other archive files such .zip or .rar that compress their files the .iso image is not compressed but is exactly the same as the original files in terms of size, structure, permissions, and metadata.
An ISO disk image doesn't propagate the so-called "Mark of the Web"" to the files located within the .iso itself so even if the ISO were downloaded from the internet no warning would be displayed to the victim when the files inside are executed. These include files within archives such as ISOs which is great since we can hide our malware within the .iso itself!
A lot of hackers use .iso files to avoid detection since most AVs usually tend to ignore this type of file but as more and more attackers use these type of methods it'll be a matter of time until .iso files get scrutinized more heavily from a cybersecurity perspective.
Moving along.... Windows 8 and above integrate the mounting functionality of an .iso file directly into Windows Explorer which means anyone can mount an .iso file as a virtual drive super easy just by double-clicking the .iso file itself. Any time that we can get someone to double-click something this is the best because that means our victims are a double-click away from being fully compromised and having their computer infected.
The common theme among cybercriminal gangs, government hackers, etc. is they include their malicious files within the .iso file so that once the victim has mounted the .iso file they can easily navigate to the other files in order to infect themselves with malware.
As you've read many attackers are using .lnk files within the .iso file which relies heavily on social engineering to be successful.
We'll quickly touch on an example seen in the wild and then after that we're going to talk in detail about the importance of using .lnk files to launch our malware. Let's take a look.
An attacker has send an email with an attachment "Payments.iso" to an employee at a place of business they're targeting. Once the target downloads and double clicks on the .iso file they are presented with a new window that displays the virtual drive of "Payments.iso" and the files within it. Within the "Payments.iso" file there are (2) other files named "Attachments.lnk" and "documents.log" as seen in the screenshot below.
The "Attachments.lnk" file had its icon changed to a that of a folder for to deceive people into double clicking it thinking that it was actually a folder. By them doing so will launch another file which either executes the malware or downloads what's required in stages/modules. As you can tell from the screenshot above that the files are named in such a way that would entice the target to open them. Your email would be worded in such a way that those filenames are what the target would be expecting given your conversations with them beforehand. Social Engineering is VERY fucking important ladies and gentlemans so do not overlook this as SE skills are needed.
The "Attachments.lnk" is a shortcut file that when doubled clicked will execute this command:
C:\Windows\System32\rundll32.exe documents.log,vspa
Once the victim double clicks on the .lnk file the command executes the Windows rundll32.exe application to launch the "documents.log". Since it's using "rundll32.exe" to launch the file we know that "documents.log" is actually a .DLL file that's renamed to a .log file. You can have the shortcut file launch .DLL files and .EXE files with ease and without difficulties so depending on how you're delivering your malware you'd adjust accordingly.
You understand that you're delivering your malware in one of the three deliver transport mechanisms that we just talked about that being .zip, .rar, or an .iso file. Let's now learn what files are stored within these transport mechanisms that are used to execute our malware so we can understand the current threat landscape.
LNK files
A .LNK file is simply a Windows Shortcut file.
The .lnk file extension is commonly referred to as "link files" or "desktop shortcuts". These files are usually associated with Windows and typically point to a .exe or .dll file located somewhere else on the computer. These files can be useful when you want quick access to an application you frequently use but don't want to navigate to the file directory each and every time you want to launch that program.
For example, I'm constantly launching my own C&C server located at C:\Users\Funshine\Program Files\Program\Build\Malware.exe. Instead of always clicking through the directories or navigating to it directly through the command prompt to launch my program I can create a shortcut file called Shortcut.lnk, change the icon as I see fit, and re-direct the shortcut file to "C:\Windows\Program Files\Program\Build\Malware.exe". That way you can have the Shortcut.lnk on your desktop and double-click that to launch whatever file to speed things up. Somewhat automated things yes?
When you double click a .lnk shortcut file it will launch the program that's associated with the .exe or .dll file that the shortcut refers to. Easy. Make sense?
null
We use these files to infect our targets with malware that are within a .ISO, .ZIP, or .RAR file which is our transport mechanism. All good, still with me?
This is just one of the ways to help social engineer your targets into infecting themselves. Let's take a look at another way to launch malware within one of the transport delivery mechanisms.
HTML smuggling
HTML smuggling is a malware delivery technique that leverages legitimate HTML5 and JavaScript features and is increasingly being used by other threat actors to deploy banking malware, remote access Trojans (RATs), and other malware to victims faces.
As the name suggests HTML smuggling lets an attacker "smuggle" an encoded malicious script within a specially crafted HTML attachment or web page. When a target user opens the HTML in their web browser the browser then decodes the malicious script resulting in the payload getting onto the host device. This technique is nice because instead of having a malicious executable download directly over the network we can "build" the malware locally on the computer from the .html file.
We use HTML smuggling to infect our targets with malware that are within a .ISO, .ZIP, or .RAR file which is our delivery mechanism for the malware we intend on sending. No different than everything else we've been talking about up until this point.
HTML smuggling is not complete. It will be finished in the very near future! I'll post an update about it when it is.
We know that malicious Microsoft Word documents are no longer an option which is OK since we're still able to deliver malware using various transport mechanisms. It's important to understand that social engineering is vital along with preventing AV from detected the malware being used.
Now that you have an understanding of some of the malware transports mechanisms and thier potential it's time to teach you how to accomplish it all so you can replicate the attacks talked about throughout the course.
Let's get into it.
But before we do that it's good to test all of these techniques out on yourself using your Windows 10 VM you have already setup and ready to go to see how it all functions. That way you can see what the people you will be targeting see when double clicking on a .zip, .rar, and .iso file. You will appreciate what your target(s) will have to go through when beign social engineered to infect themselves with malware.
First things first. Let's fire up a fresh fully updated Kali VM so you can follow along with ease. We're going to use Kali to create our .zip, .rar , and .iso but there are so many programs out there you can use so feel free to use other ones you deem good for yourself if you know others. Keeping it easy for everyone we'll be using Kali.
Creating a RAR file
In your Kail VM type:
sudo apt-get update && sudo apt-get dist-upgrade -y
sudo apt-get install rar
cd ~
echo 1>1.hacktown
echo 2>2.hacktown
rar a -hp Test.rar *.hacktown
This is how you would use RAR to put your malware files into a single .rar file that is password protected. You will need to advise your target(s) of the password so they can access its contents which is usually done through social engineering via email, documents, websites, etc.
Creating a ZIP file
In your Kail VM type:
sudo apt-get update && sudo apt-get dist-upgrade -y
cd ~
echo 1>1.townhack
echo 2>2.townhack
zip a -e Files.zip *.townhack
Pretty straight forward syntax on how you would use ZIP to put your malware files into a .zip file that is password protected. You will need to advise your target(s) of the password so they can access the contents which is usually done through social engineering via email, mobile, documents, websites, etc.
Creating an ISO file
In your Kail VM type:
sudo apt-get update && sudo apt-get dist-upgrade -y
sudo apt-get install genisoimage -y
cd ~
mkdir Test
cd Test
echo 1>1.hacktits
echo 2>2.hacktits
cd ~
genisoimage -o File.iso -V BACKUP -r -j ~/Test/*
This is the syntax you would use when creating an ISO. Put whatever malware files into a directory and then make an image file of that directory so it's easier to transport your malware in.
Alright so now you know how to put your malware files into one of the malware transport delivery methods talked about. Let's learn how to execute your malware through .lnk files that you will place into a .zip, .rar, or .iso file using some trickery to fool them into executing your malware.
Creating a .lnk file
Let's start a fresh fully updated Windows 10 VM so you can continue to follow along with ease. Always make sure you're using a fresh VM every time when going through each tool or technique for the first time and remember to take a snapshot of your updated Windows 10 VM before attempting to follow along. That way you can just re-vert to the updated machine each time with ease in case you fuck things up. Once you master everything you can do whatever you like. You'll figure it out.
We're going to create a folder on our Desktop named "TEST" and then copy the calc.exe file into it. We're going to use the classic "calc.exe" as our example malware file so we know when the calculator program launches through the .lnk file this is exactly how it would work when executing any malware.
In the command prompt:
cd C:\Users\%USERNAME%\Desktop
mkdir TEST
copy C:\Windows\System32\calc.exe C:\Users\%USERNAME%\Desktop\TEST
cd C:\Users\%USERNAME%\Desktop\TEST
move calc.exe resume.exe
Navigate to the TEST folder and create a new shortcut which will be called "resume - Shortcut.lnk".
In the command prompt:
cd C:\Users\%USERNAME%\Desktop\Test
move "resume - Shortcut.lnk" Files.lnk
Right click on "Files.lnk" and click on "Properties". First, let's change the icon to an image of a Folder to trick our victims into thinking that there's a Folder for them to double click on to see what's inside. Click on "Change Icon...". Once there enter the directory of "%SystemRoot%\System32\SHELL32.dll" and click OK. Navigate to the Folder icon then select OK.
There are plenty of icons here you can choose from and if you want a specific icon to use then you can download any .ico file from the interwebs to incorporate into your madness. Google is your friend.
null
Now we have the files needed to send to our victims or we can upload them somewhere to have our victims download. We can now choose to use .zip, .rar , or put them into an .iso file to deliver to our targets of interest.
Let's do some variations with .lnk files to show you what's possible.
In the command prompt:
cd C:\Users\%USERNAME%\Desktop\Test
move resume.exe resume.txt
Now back into the folder and right click on "Files.lnk" and click on "Properties". Leave the "Start in:" portion blank as seen in the screenshot below and in the "Target:" section paste in what's below and click "Apply" and then OK.
C:\Windows\System32\cmd.exe /c start resume.txt
As you can see the files in your C:\Users\%USERNAME%\Desktop\Test appear to be pretty innocent don't they? You have a Folder and a text file that appears all normal. We've renamed "resume.exe" to "resume.txt" so our victim thinks there's a text file for them to open and read the contents. It doesn't matter what file extension we give our malware since we're using "cmd.exe /c" in the .lnk file which is telling the computer to execute the program as an executable regardless of the file extension. You can rename "resume.exe" to "resume.jpg" and on and on if you choose to do so.
Let's take another look at .lnk files and how we can leverage them for our cybercriminal operations.
Here's my example. I've selected my target and I'm ready to actively engage them. I have registered a domain that appears legitimate to the naked eye and have emailed my target regarding a complaint I have about their store and the racism I received when I was there. Which is all lies. I'm simply touching a nerve with the employee and SEing them into my trap. I tell them how I was poorly treated by one of their staff members, I would like an investigation launched into that employees conduct, an apology, or else I'm taking everything to the local media. I tell them I recorded a video on my cell phone of everything that happened to me and have provided the video to them in my email.
It goes a little something like this.
Below is the contents of my email to my target:
Hello General store manager, I was at your place of business on January 20, 2023 and was treated very poorly by one of your staff. I was having trouble choosing my shoe size when one of your employees muttered a racial slur under their breath while I was trying to make up my mind on which shoes to purchase. I pulled out my cell phone and immediately started filming their behavior as I was feeling threatened at the time. Your employee continues to insult me using racist slurs causing me to leave your store.
I felt so hurt and told myself I would never come back into that store until my friend convinced me to file a complaint on that employee. Thankfully I kept the video which clearly shows your employee doing this to me and have included it in this email.
I hope you will view it and take some sort of action or I will be going to the local media with it.
I've uploaded my documents to Google Drive for ease of download. The password to the file is "PASSWORD".
https://drive.google.com/download=?Files.zip
Please let me know if there's anything else you need to get this situation resolved before I bring it to the media.
Sincerly,
Kin Shu Yu
I have zipped up my malware and hosted it on Google Drive for them to download and open. I've given them the password to the file so my victim has everything they need to infect themselves with. Once my target unzips the file they will see the other files as seen in the screenshot below.
As you can see I've renamed my executable to "Recorded_Video.avi" and included my .lnk file that I've changed the icon to a Folder and named it in such a way that would entice my victim to click on it!.
This is how you deceive people into executing your malware through .lnk files. There are so many possibilities and different way to social engineer your targets using this method.
You're now capable of creating your own .iso, .zip, or .rar file with your malware housed within. Whether you choose to use .iso, .zip, or an .iso to deliver your malware is up to you. Whatever way you SE your target will dictate what type of file you use to infect them with.
You can bet these methods will be useless one day but if there's something I've learned along my cybercriminal travels is that when one thing get shuts down it opens up something somewhere else that can be learned and used. Always stay in the know my friends!