BG - Writing Malware Without Writing Code - Gal Bitensky

this is breaking grounds and we have gull with us and he will be talking on writing malware without writing code so it's time dull hi thank you for staying up so late what we're about to see today here is a very nice experiment I did I need to answer some of my questions to my own when I try to think what I want about to write to the stack this year the CFP and I ended up with this nice project I call the lazy ass this likewise we have this image like over there this talk is about my experiment of writing mad word purely by copy pasting stuff the only thing I did which wasn't called paste was the main loop

we'll go for it as we like proceed okay so a bit about the outside of the talk will look a bit about like examples for in the wild the code paste really short like go through this example we'll do an intro to lazy ass as you like seen this nice fella and then we'll talk about the results I've actually tested this malware against like all types of ABS next-gen all gen quantum computing gen whatever gen and I'll talk about the results a bit okay so a bit about myself first I'm 29 year old geek from Tel Aviv I wrote first I've called Minerva you know the lab they can google it if you want you don't have to

I have experiment experience with tons of stuff I did some skate Aston stuff some everything you can think about scripting whatever you name it I'm fluid in terms of exotic languages like C sharp Ruby pearl and Arabic are there any Arabic speakers we proud so Alif salafi co and rocky become the manasa but I William Muhammad besides lvl Pinot sabotage however did it correctly yeah yeah okay so let's proceed now if you want to ask me anything that's my Twitter handle feel free to contact me I'll be glad to answer any questions ok so why we are here talking about this copy-paste no coding malware we have like examples for this exact thing from our daily life

where we have code which comes from good guys to bad guys we have the fish as an example how many of you know per fish the paranoid fish it's a good tool for detecting sandbox and vm's and we had in a case of iranian apt group called the copy content which is just like copied and pasted stuff and they actually took the entire code of profession of stuff and embedded in into their mail were good guys code going to bed guys go best example yeah you've guessed at embalming the guy who did add embalming are just right now in the underground across the hall it was adopted by dry decks and they say that Britax they used it before i am no judge

for yourself and horrible case in my opinion of course there are all those stock overflow and we'll get seven of those websites which are great great place to find how to code like malware and just also like adaptations of like bad guys code to bad guys code they have all kinds of forums and russian mostly i I've learned how to read Russian from those forums a bit I can like say oh it's like not jebel server up there and yeah so they just like copy paste code in between them it's just like the simplest injection you can think about down here yeah and of course we have like bad guys go the better I feel like a carver Pandu's

the source leaked and well yeah well once the source is leaked everybody are using their techniques and you can guess like how it goes like the rest of it it like the backdoor is rebuilt and this technique is adopted by others etc etc and just like a third category the hidden sphere I like to call it a category where the it's not like bad guys but they're actually bad guys because they created ran Smurfs for educational purposes and I think that you have like dozens of crappy source for the world ransomware which is like hidden tear and any kind of package you can think about again like copy taste and repack and bet for us so how I come

up with the idea to have to build eight yes as I said I thought about what I'm about to write like this year for the CFP I want to be here in Vegas and the only way I can like get this trip if I have like a good talk and then I'll convince my employer to send me here so I had like all those fats and we're living in a world where there's like a large like conversation is next in the bath origin it is easy to bypass everything bypass this one by that one well I don't like like all of those stupid questions with no answer I just like want to add like my own real answer

which as a result of an experiment to it I declared this talk a cheese free zone no cheesy statements will be thrown here only results of actual research I did in this case so I decided to be lazy ass I took copy/paste art to the extreme and I created a malware built entirely out of copy paste code will see it like sure don't worry first I thought about what I wanted to have in this malware you can see it's just like a shopping list of any malware you can think about well yeah I just like wanted to have everything in it it's like a red Viper I know banking virgin whatever and I then I thought about a few ground rules

first do no harm we are the cavalry as you know we have this track of there I think is over there I don't want this malware to do bad anyone I don't want to be the next hidden tier I don't want to be the next atom bombing I actually had like serious moral issues with myself about it so it was compiled into a console app you have like a visible console and the smell were at the moment there are some bugs I am aware of which are a bit like it's not it easy to spot them but it will crash the malware I didn't fix them like on purpose so be aware that it is not

perfect as a result of like my my will not to make it perfect so don't use it as a just like enjoyed the experiment so I started with doing only curry paste but they understood that I need to make a main loop the main loop is the only thing which I didn't copy paste and well it's like it went perfectly so I kind of stick to it stuck to it other parts are maybe sometimes slightly modified in some cases I did some like C and C++ functions and you changed like a string type so it will compile which was one of the most like challenging stuff in this like project but nothing like more than

that I love have to combine different sources in one function I could like nested my logic it was a lot of fun I had like a lot of fat what about technology I want to you there I had like Python dotnet and each one of those has like its own advantages in the end I selected like combinate mostly C and C++ and a bit of VB script and well also a bit of like bad because I allowed us have to do a system and how to CMD that just like makes that it's just like the same it's copy pasting stuff I just wrapped it with a nicer system call and yeah so a bit about the

scope of the test before we dive in I didn't handle the infection vector again because I don't want to create the next apt and because it just doesn't really matter we have amazing frameworks which are pretty simple you have like veil and other stuff you can have like of there's a PowerShell cradle to download it it's not that that interesting those frameworks are amazing I will like them they're simple and working so it doesn't really matter it doesn't me that I am being lazy because if I like for example to use PowerShell I could have loaded my DLL directly from the memory and be even more stealthy I didn't want you I just like wanted test it as plain as it can

be I didn't checked it against any kind of network security products because I didn't want to have like this enormous set up only for this talk and I also yeah sorry yeah that's all that just cover as a base to my malware I used a reflective DLL odor I guess that many of you are already know this project it's the most basic coding reflective code injection project you have an inject that eggsy and you have a DLL which is like it can be injected to they inject actually itself or to any offer for office which is injectable which means it's helped like the same you have the privileges to inject to it very simple I just like

inject it in my experiment I injected the dealer to myself and I contacted the c2 server and I just like got orders what you might expect like any normal memory will do next I got orders over HTTP and I sent excavated the files over FTP and we'll see it up next and again everything was dead simple thing you can think you can copy-paste from github from Stack Overflow as I did um this is actually my c2 server yeah I also copy tasted my seat to a server dislike HTML over here is my max IDO server you can see the free or one over here this like the opcode I'm just like the malware browsers to this website over HTTP and

it depends on this like this number the the up code that will be executed there's this like part of the main loop you can see like 310 311 I get the guys on the back can't but it's just like again very simple and I even code pasted the c2 server let go through some of the modules yeah we have plenty of time and that's absolutely the strangest grabber it's like the best case for why building get this stuff is dead simple I stumble the power upon a library which is called the GDI plus how many of you knows what GDI plus is yeah I see no hands I I also don't know what GDI plus is so

instead of like going through all of this like Microsoft documentation understand what is GDI and one of the functions how the can they be called and no I just like when to dislike this like get up gift and I just like cut and paste the snippet and I had a screen grab a module amazing it took me about like 15 minutes to find the snippet and afterwards it took me about 15 seconds to copy and paste it and just like compiled by the way the entire process of writing this maro took me about I think 48 hours it was and most of the time was about compile cnc plus not together so yeah yeah but a

major struggle for me and just like what a good example keel over well I just like went for the simplest key logging you can think about the most straightforward implementation actually it was the first result on Google how to c+ last key log right right to dumb it down as much as possible I simulated like the process that like the Mel word writer will do if you have like no expertise or maybe he has and he tried to do something easily and cheaply first without on Google and the same apply for like FTP exfiltration again guys on the back I think it's a bit too small for you but I just like searched how to FTP

upload and this was the first resort and I try to be a bit cheeky here so I took an FTP implementation sorry I have PBS implementation of that like how to upload FTP and I thought about it will have like good reputation because a lot of like IT guys may be using it and it actually worked quite good also here is an example for kind of adaptations I was like obliged to do I don't know if you can see it but you have like the username and password over here and and like the address of the server of course those are parameters that I needed to add it I can't like copy paste the address of my

c2 server of course but also it was another challenge I needed to combine escaping for C++ and VBF together I don't know how many of you knows but I think it's like in C it is like backslash quotes in order to like escape quote and in VBS it's like free quotes so when I integrated those together I need like backslash quotes backslash quotes backslash quotes for each quote major challenge but one of the like the most challenging stuff I like in this project no ransomware let's think a bit I have not course of ransomware module let's think a bit about what is ransomware it's going through all of your files and then encrypting them going through the files

yeah I found like a very simple implementation which uses the finds file fine exFAT cetera again the most basic how to recursively find file c++ amazingly simple and then you need to encrypt the file so I did how to encrypt a file and Microsoft to the rescue yeah by the way there's an arrow over there you can see that it's an example C program and then you have a C++ program but who cares it works yeah I found an error and MSDN good for me and again I have like the benefit of this being a very like legitimate code I think there are a lot of like legitimate products copy pasting it because well it's like

the MSDN example of doing it everybody there copy pasting from MSDN men were writers as well I guess this is my case and this is where I got a bit like more creative I searched for how I can trigger bootloop I found like this from again from server fault no time for the answer in this case I went to MSDN and then I found like that I can code paste some of the parameters this way so I don't know how many of you can read from the back there but this line is just like creating a schedule test to reboot your machine every minute yeah so and it start to count a minute from the moment

that Windows starts up so you don't have time to like enter a password or something you know we have no chance beside like using live CD if if you have an encrypted hard drive and it will just like brick you machine effectively again simply by pasting stuff I actually try it on my own machine by mistake yeah I was lucky enough to have it and like nothing my deaf machine and I'm like a stupid machine which didn't have that culture of encryption so I was able to actually I like renamed shutdown XD to another thing and then I I won so yeah bsod it was like the most difficult one to implement I just like one have

the ability to trigger bsod on my victim it was the hardest copy/paste job why because it was from YouTube so I need to actually like to to write it down yeah yeah it took me like five minutes and then five more minutes to understand how to import ntdll to my like project again that was pretty simple so now I have even the ability to trigger bsod antes anti VM and X sandbox and I whatever I just like copy pasted per fish again per fish which I talked about before and it's a really good project the copy kittens from the like the third slide also used it this from virustotal they also change it a bit they access the URL

in the picture and the function in the fish which detects vm that they discovered that was figured it's ID over here was they reported back to the server this way by contacting this URL yeah I unlike a real maverick did a bit of a trollish thing yeah nice animation and instead of quietly terminating as real mellow writers will do I just like didn't have a nice little trick and go into the repository and check it out I'm not going to spoil it for you yeah persistency the simplest persistence the method you can think about there are tons of persistency mechanisms I try to go as simple as possible I just like went to the registry and yeah you your

you know it there's no reason to do anything else I actually did a user scope persistency instead of like going to hklm because I didn't want to rely on the fact that I'm in an administrator so yeah and now to movie time this is a really quick talk so we're not going to do it live but it's going to be as good as live this is the victim it's a bit clipped on the side but it doesn't really matter and you click it like this yeah yeah and I am double clicking right now in the movie on the inject eggsy the dealer is loaded to itself it's now in the no op mode I'm changing 301 which is

no up to 302 which is like demo mode pop up a window now and now we're going back to the victim a window pops lazy after it's in the house yeah we can like know that okay we have communication everything is okay right now let's go further let's try something more more interesting 308 308 it's keylogger and now I start a keylogger you can see that in the temp folder there's like a local key logger right now which is being written it's per floor txt it's very small you won't be able see it but now and I'm browsing to hack me bank which is just like Acme bank but even better my favourite Bank the meantime

the attacker wants to know hm I wonder where where my Victim browse to you so he changes the opcode to 306 which is bring me the key logging file is expert rated you can see that the previous script is written for a second then it's deleted after a second deleted and let's go back to the attacker the attacker has the the X field for the file per flog dot txt and you can see hackery bank surprise surprise again it's not surprising because it is simple it is working there's no reason why it shouldn't be and now if we want to verify if we actually browse the website he's changing the dope code to 311 which

is take a screenshot again simple skirt screenshots taken in and yeah I know just like okay I have like what I want from this victim let's just now troll him a bit I'm triggering the BSOD of code 312 and voila BSOD yeah yeah yeah ladies and gentlemen lazy ass yeah no it's just like the first part let's talk business when I wrote down this talk I wanted to speak about all the vendors out there I thought that I will name him like yellow rare the teal green quad color and nobody ever will guess who are those vendors nobody will sue me yeah nobody well guess who quad color is but then I read this blog I don't know how many of

you did but they have like this nice paragraph about how all the vendors like at least like the next-gen vendors had like serious issue the legal issues with the attempt to bypass or to prove that next-gen solutions are not perfect and this kind of like made me afraid and I didn't want to go all the way through it so I'm not going to name any names but it doesn't really matter why I just all of it of course is all the modules etc but it's not really matter because the test setup is like the simplest you can think about this is like the template which I created for any vendor to be tested and I thought about yeah you know

how you make those presentation you make this template that any duplicate the slide like 12 times and then you edit afterwards which model was prevented and detected which was wasn't it and this is the table I got from my chest green means like the the AV didn't take anything next-gen halogen whatever Jan it was just like bypassing everything and it was a real shock to me I knew that it will bypass most of the stuff but it was real shocking for me so I didn't need anymore more than like the slides and I'm still shocked a bit sorry a couple of the vendors detected it it's actually like a funny story emitted like here in

the interesting desorb section i had one case where the next-gen actually detected oh yeah that the first one is even more funny because I had the injector taxi I slightly modified it and then suddenly one of the vendors detected as malicious because it had bad reputation the inject eggsy the original one has amazing reputation because it is like I'm tens of thousands of endpoints they're all over the world I guess so once I change it it doesn't like have the same reputation I guess that they it's AI can only get it is like hash based reputation awful awful way to do stuff another interesting thing one of the next-gen vendors actually detected my injector dot eggsy as malicious so I

just like took the DLL which is injected and compiled it as an executable and I replaced the DLL attached to the edge of the switch it to be the main function and yeah again if you win again very surprising very upsetting and well let's go to the insert part and now I could have answered them I like my own questions is it that easy to you know to bypass all ABS can I just like copy paste my way to glory so a five-year-old can copy paste stuff and do some serious damage but doing it right compiling it in a complex CC Plus last combination adding batch and VB this requires skill I have experienced both his death

in both his researcher for years now and if I didn't have like my experience the book as a dev and both as a researcher and knowing how to avoid AVS in one hand and on the other hand out to compile of this like knowing W string teach our combination I will I won't succeed I wouldn't have succeeded in this mission it wasn't that easy as you might have guessed and my most important like say out of this talk yeah next-gen is cool it is great it works but it has issues it is not perfect it doesn't prevent hundred percent of the malware example this man ever it of the simplest malware that you can build and it didn't detect it this

girl like to detect next part advice for blue team's how many of you consider themselves blue teamers I am too oh by the way I'm also a blue team or at least like in my day job and we need to solve it how solve it somehow and my like best advice of having an in-depth security approach and having like multiple products want to cover the network one sandbox this I get a malware which was fully written will trigger any kind of sandbox flag you can think about if it will be like statically analyzed I used no applicators no nothing by the way it was just like copy pasted compiled and well you need to have

multiple security products to you to cover the gaps this is my advice for blue team is and this is the adversary can take pictures of like I get the GOL if you want you I don't care yeah of course that there's a disclaimer and website use it for good it has bugs so if you do this for like bad stuff you'd get caught I'm I'm all good with it and also pictures okay and they're like the credit thing yeah and we can go actually to the questions I have a finger them they're like the repo you have of the URLs and everything and yeah that's actually like and have a slide for for credit yeah everything is

on the repository it's okay yeah and yeah thats a skip directly to the questions oh well we can take one question okay and if we have time we will take another okay you can feel free to approach me on Twitter or something questions thank you I mean we all are as busy as you thank you all thank you