Red Team Diary, Entry #3: Custom Malware Development (Establishing A Shell Through the Target’s Browser)

Hi there,

This is Dimitrios Bougioukas, Director of IT Security Training Services at eLearnSecurity.

Our series of (red and blue team) posts continues with the third entry of the Red Team Diary. Everything you will read below is part of our Penetration Testing eXtreme course. A course oriented solely towards red team operations.

In this post I will demonstrate how you can develop your own custom malware that establishes a shell through the target’s browser. We chose to abuse the target’s browser so that any traffic back to us will look like legitimate web page browsing.

During our custom malware development activities we will repurpose BeEF’s bind shellcode, modify BeEF’s (0.4.7.0-alpha) backend and also leverage AutoIt.

BeEF Bind Shellcode Background
BeEF’s bind shellcode is used to establish a shell through a target’s browser. It was originally created for inter-protocol exploitation scenarios. This means the target should not only have specific software installed (where BeEF’s bind shellcode exploits apply) but he/she should also install a malicious browser extension, which would bypass port banning, among other things. Too many requirements …
The attack’s stager and stage payload are contained into BeEF’s Eudora Mail 3 and Active Fax 5.01 exploits.

Our Version of the Attack
We will modify BeEF’s Eudora Mail 3 exploit and create a variation of this attack, which applies on all social engineering cases and doesn’t require any installed software or browser extension from the target. We will actually create and send a malicious executable that will inject the attack’s stager into the target’s memory. Then, we will manually send the attack’s stage payload, using BeEF.
This way, we free ourselves from the requirement of specific software and a browser extension being installed on the target. Note that everything will occur from a single attack vector.

All the attack stages are depicted in the following diagram.

Our custom malware will perform the below steps:

[3a] Spawn a hidden Firefox instance that will automatically visit an attacker-controlled web page serving BeEF’s hook.

[3b] Fetch BeEF’s bind shellcode from a remote attacker-controlled resource and inject it into the target’s memory (the selected port is now bound)

[4] Receive the stage payload (sent by the attacker) through the (hidden) hooked browser

[5] Receive commands to be executed and send their result through the (hidden) hooked browser

Let’s start developing our malware…

Step 1: The first step is to copy BeEF’s bind shellcode modules from /beef/modules/exploits/beefbind/shellcode_sources/msf to the appropriate Metasploit (MSF4) folders (on kali rolling you can find the Metasploit folders on /usr/share/Metasploit-framework/…). This way you can use the Metasploit framework to not only generate BeEF bind shellcode stagers in multiple formats but also for re-encoding or removing bad characters.
Now, that BeEF’s bind shellcode modules are inside Metasploit, you can create stagers in multiple formats, using numerous ways of encoding. We choose to use PowerShell and reflection in order to minimize the on-disk footprint (psh-reflection format).

More specifically:

All you have to do is follow the instructions placed in /beef/modules/exploits/beefbind/shellcode_sources/msf/instructions.txt
With BeEF bind shellcode modules inside Metasploit, you can use msfvenom to create the attack’s stager.
By executing the following command, you will create a PowerShell based BeEF bind shellcode stager, which is also A/V resistant since it leverages .NET’s reflection capability. The psh-reflection format leverages .NET’s reflection, so there is no need for a temporary .cs file to be dropped for dynamic compilation.

Step 2: As already mentioned we will need to spawn a hidden Firefox instance that will visit an attacker-controlled web page serving BeEF’s hook as well as inject BeEF’s bind shellcode using PowerShell and reflection. Let’s automate all the above. We will utilize AutoIt for that. AutoIt is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting.

Once you install AutoIt, open a notepad and write the following AutoIt script. Then, save it as a .au3 file. Finally, right click on it and select “Compile Script (x86)”.

https://gist.github.com/anonymous/09f10cdb5d9b0bae4755850273083fd2

In this case we knew the target uses Firefox Developer Edition and that PowerShell v1 wasn’t uninstalled. As always detailed and thorough reconnaissance is key for stealthy Red Team Ops…

The AutoIt script above performs the following:
1. Targets Firefox Developer Edition. On $path you should enter the Firefox’s path.

2. Uses the 32bit version of PowerShell v1 ($path1).

3. Spawns a Firefox browser and loads a web page using ShellExecute. Once Firefox is spawned, it is hidden in the background via the WinWait and WinSetState commands. Actually, those two commands instruct the target’s computer that whenever a window comes up with the title “Firefox Developer Edition” (the default title of Firefox Developer Edition), put it in the background and keep it running.

4. PowerShell is called using ShellExecute and the stager you created in Step 1 is loaded and executed in the target’s memory.

Step 3: It is about time we modify BeEF’s backend for our attack purposes.

First, modify BeEF’s Eudora Mail 3 exploit so you can manually send the attack’s stage payload on port 4444 that the stager bound. Navigate to: /beef/modules/exploits/beefbind/beef_bind_exploits/eudora_mail_beef_bind/ and replace command.js with the following version of command.js.

https://gist.github.com/anonymous/a1befcd2a0acf8fed62aa854e05e0d88

The altered command.js above simply skips the if(stager_successfull) check of the original version and enables us to manually send the attack’s stage payload. This will still work, since our own version of the attack’s stager will make the target able to receive the stage payload. Be reminded that our attack lifecycle does not have any specific software or browser extension requirements.

The attack in action…

Once the target executes the AutoIt-derived executable, port 4444 will be bound on his machine and a hidden browser will load a web page with BeEF running underneath. Now, to send the attack’s stage payload using BeEF perform the following:

Select the hooked browser and click on the Commands tab. Then on the Module Tree, click Exploits, BeEF_bind and Eudora Mail 3. On the Target Host, enter the target’s internal IP (you can identify it using the two Get Internal IP modules of BeEF). On BeEF Host enter BeEF’s IP, if you are delivering an internal penetration test, or the web page’s domain name, if you are delivering an external penetration test. Also change BeEF’s port if you have changed it through the config.yaml. Finally, click Execute. This will send the attack’s stage payload on the target’s 4444 port.

To send commands for execution on the target machine, on the Module Tree, click Exploits, BeEF_bind and BeEF bind shell. On Target Host enter the target’s internal IP and on Command, enter the command you want to be executed and have its results returned through the target’s browser. Finally, on BeEF Bind Shellcode choose Windows and click Execute.

Congrats! You established a stealthy shell through your target’s browser!

The above custom malware is just a Proof Of Concept. Serious browser-based payloads utilize ActiveX controls (such as Metasploit’s PassiveX payload) or IE COM objects (such as https://www.mdsec.co.uk/2019/02/external-c2-ie-com-objects-and-how-to-use-them-for-command-and-control/).

Until next time, keep hacking …

📝 Read this story later in Journal.

👩‍💻 Wake up every Sunday morning to the week’s most noteworthy stories in Tech waiting in your inbox. Read the Noteworthy in Tech newsletter.

Director, IT Security Training Services @ Hack The Box