Being towards death

As a beginner phishing attacker, my experience in phishing attacks is also very limited, and there is still a lot of room for improvement in creating undetectable horses and bundling. This article focuses on social engineering ideas and scenario construction, so it will not describe the details of anti-virus technology too much. You can search for specific anti-virus technology on Google.

There are indeed many choices for anti-virus technology now, and one of the common ones is to use the method of separate loading. Here, I chose to use a loader written in C++ and use MSF as C2. (At that time, my horse could only pass Huorong and Kaba) Let me briefly explain the principle of implementation, which is a very routine operation process:

1. Use MSF to generate the original format shellcode.
2. Encrypt the shellcode to ensure that it is not easily detected by anti-virus software.
3. Embed the encrypted shellcode into an image to generate a Trojan image.
4. Upload the Trojan image to the VPS provided by HVV and start a service that can be accessed externally, so that the victim can access and download it.
5. Induce the victim to click on the loader, and the loader will automatically download the Trojan image on the VPS.
6. The loader will decrypt the shellcode in the Trojan image and inject the decrypted shellcode into memory to achieve online.

The advantage of this method is that it uses common image formats as carriers, making it more difficult for Trojans to be detected by anti-virus software. At the same time, the encryption and decryption process increases the concealment of the execution process and improves the anti-virus capability.

(Note: When generating shellcode with MSF, you can add some parameters for obfuscation. When writing shellcode loaders, try to choose some obscure Windows APIs to increase concealment.)

I finally targeted a local comprehensive website. This website includes multiple modules such as forums, decoration, car buying, second-hand houses, and recruitment in the region. The reason I chose this website is that it has a recruitment module, which is very suitable for phishing attacks. I realized that phishing through the process of submitting resumes is a very reasonable strategy.

However, a key issue is how to make the victim consciously click on the Trojan link without realizing the security risks, so that it can come online. As a beginner without phishing experience and no experts around me, I had to find answers to this question on major forums. In the end, I chose the method of compression bundling.

The basic principle of compression bundling is to create a seemingly legitimate resume file and bundle the loader with it. In this way, when the victim downloads and decompresses the file, they are likely to click and view the resume unconsciously, thereby executing the loader.

The advantage of this method is that it uses people's common behavior habits, namely downloading and decompressing files, as well as the common operation of applicants, namely viewing resumes. By disguising as a legitimate resume file, I can guide the victim to click and view its content without suspicion, thereby executing the loader.

The steps of compression bundling are to first create a resume and a shellcode loader.

Then select "Extract Here" at the same time, and then select "Create self-extracting format compressed file" in the decompression interface.

Then select "Advanced" -> "Self-extracting options".

In the "Run after extraction" in the settings, write the name of the loader.

Select "Mode" -> "Silent mode" -> "Hide all".

After decompression, the final files are obtained.

However, the generated file is an exe, so I used the Unicode RTLO method to construct a malicious file name. It can be successfully double-clicked to come online in local experiments.

The problem is that when it is passed through WeChat, the file will be displayed as EXE, and the malicious file name constructed by the Unicode RTLO method will be scrambled after downloading.

What should I do about this? There is no time to study how to bypass WeChat's detection mechanism, and I have also tried to start a service on the VPS for HR to download from the server, but is this feasible?

Later, I only thought of one way, which is to add another layer of compressed file outside the bundled horse, which can make HR feel more reasonable. After they decompress one layer, they haven't received the resume yet, and they need to double-click to open it again. This operation is more reasonable. In order to protect personal privacy, I also set a password.

So now the process is: send the Trojan resume to HR -> HR accepts the Trojan resume from WeChat -> HR decompresses and gets the encrypted resume (actually the bundler) -> decrypts the encrypted resume -> triggers the loader -> comes online to my control side -> HR gets the resume file.

Phishing begins#

When I clicked on the resume delivery, I found that the website does not support self-written resumes, and can only be written on the website... Just when I was at a loss, I saw a customer service QR code on the homepage of the website, so I added the customer service on WeChat with a try. Maybe it's because of the enterprise WeChat, after adding it for a while, no one paid attention to me.

After lying flat for a day, I continued to look for prey. At noon the next day, I found a tiny QR code at the top of the recruitment module of the target website. I immediately scanned and added it, and successfully passed the WeChat verification in the afternoon. This made me feel a sense of victory, after all, this is an important progress in phishing.

I quickly sent a message to the target, looking forward to their response. Unexpectedly, the other party replied quickly!

Then I started to make the resume in the previous step, and after setting the decompression password, I packed the loader with the resume, and then tested it locally, double-clicked and entered the password to come online successfully. I prayed for myself and sent the "resume" to the customer service.

Next, I anxiously waited, staring at the monitoring end, hoping to see a new session come online. However, time passed by every minute and every second, two hours had passed, but I still didn't see any session come online.

I started to think, whether there was an error in some link, or my undetectable horse was discovered, or other problems occurred...

When I actively sent a message, I found that the monitoring end finally showed a prompt for a session to come online. I confirmed it, and indeed the customer service decompressed the file I sent and came online. So, I started a happy journey of information collection.

Experience and Summary#

1. When conducting social engineering, the most important thing is to accurately identify key figures. The reason for the failure of this phishing operation is that I found that the target was using a personal PC during subsequent information collection.

2. When conducting phishing operations, it is best to cast a wide net, but for targeted phishing, it is necessary to determine the identity of the other party before performing social engineering operations.

3. I will expand other bundling techniques and Word macro Trojans in the future. Because the bundling Trojan I used will stay in the folder after decompression, and I have not found a suitable place to hide it, which seems more obvious. In addition, after coming online, I also need to immediately perform process migration to prevent the other party from directly terminating my shellcode in the task manager, otherwise our operation will fail.