Moving on the Fileless Content
And demystifying malware classifications
So, I just saw a video by Vice—and I think we have all heard from George Ouzounian, also known as Maddox. You know how ‘spicy’ he can be, right? But the title of this YouTube video is ‘Teenage Hackers have Cyber Weapons as Powerful as Nation States.’ Kind of like a glorified shitpost.
Probably not as good as nation states, but if you actually did your history, you’d know that more and more Advanced Persistent Threat (APT) groups have been having side hustles. It’s been known that a Chinese member of an APT group—I believe APT41—was also having a side hustle in kernel-level cheats, because modern PC game cheating requires you to live in the kernel to hide your kernel exploits and cheats from kernel-level anti-cheats, like BattleEye or Easy Anti-Cheat.
And this kind of tool sharing... um, I wouldn’t say it’s a direct kind of tool sharing, but you also see Ransomware groups starting to have implants such as PlugX, which were originally Chinese-based. The legitimate PlugX Trojan—not obfuscated crypters that tend to be modular—that also falls or exhibits behaviors under the Chinese APT41 PlugX Trojan. So, there are legitimate nation-state Trojans like PlugX, which are designed to be modular, and then there are copycat ‘wannabes’ that may not be as capable, but they do have obfuscation attributes that are very similar to PlugX.
So, if you drop malware and it can load ransomware, information stealers, Cobalt Strike beacons, Metasploit Meterpreter shells, Brute Ratel Badgers, or Empire Grunts stealthily, and can consistently evade detection or just polymorphically, at compile time, make itself relatively difficult to detect—you actually can fall under the Chinese APT41 generic classification of PlugX. That does not mean that you actually have PlugX. It just means that you have a modular Trojan that can do these things.
As I demonstrated in my blog, as long as it’s native code, then you can convert it into shellcode. So, you recompile your original code into a DLL, and then you can use Monoxgas’s Shellcode Reflective DLL Injection (sRDI) to make a self-memory-allocating shellcode runner (or loader, as it is called). And we have discussed various tools and tricks where we can load it filelessly, inject it into another process—including a process that we briefly control when dealing with EDRs—like starting the injected process in a suspended state before injection.
And why am I talking about this? Well, first, I had to go explain why this happened. Two, I wanted to say why my content looks very, very novel. It’s not. I’ve been sitting on these techniques for years and I merely modernized them in, like, a few days.
And what can it do? So, when you fire an implant cyber weapon exploit... for example, previously I talked about a simple exploitation chain, right? So, a binary exploit that can pop Notepad through an ASLR bypass and Data Execution Prevention (DEP) bypass of a ROP chain can technically call shellcode that doesn’t necessarily spawn a Meterpreter shell. And these days, it is relatively easy to do this, especially with the ability to create shellcode—native shellcode. Although I’ve yet to talk about Donut and intermediate language shellcode like .NET, we’re going to stick with native shellcode.
So, if I can execute a stack pivot, and instead of just running a simple command like Notepad to pop it (I don’t even have to load Metasploit Meterpreter or Cobalt Strike beacons), alternatively, I can do something like create three instructions. So, at a minimum, you need a VirtualAlloc to a pointer, to a second-stage shellcode, to allocate the memory page. And like I said before on modern Windows machines, it’s four kilobytes (or 4,096 bytes). Then I change protections to either Read-Write-Execute (RWX) or Read-and-Execute (RX), and then I can call CreateThread or CreateRemoteThread for remote injections.
After I do this, I can start up my previous ‘Infinity’ AMSI bypass with what I call ‘Globex Gate,’ which is a universal gate method to continue proxying malicious API calls using direct or indirect syscall methods. And that’s what I was hyping up.
But let’s go back, because I told you all that maybe I should be making demonstration videos of how this works, about giving actionable code, okay? Because we’re talking about this okay-ish video by Vice (Cyber War | Blueprint) titled ‘Teenage Hackers have Cyber Weapons as Powerful as Nation States.’
How do you get this powerful? So, previously, I just said that we can change Notepad from loading a Meterpreter shell to loading my Infinity AMSI bypass, into loading a chain of dynamically invoked binaries, ransomware, and info stealers, and the ability to do signaling through registry changes (mentioned in my previous articles)—which can ultimately resolve in a persistence method having a persistent, privileged Cobalt Strike beacon, or any kind of beacon that you want to send more commands to if you wanted to. Okay?
So that’s why I said, maybe we should just stop right here—even though I am capable of doing, and I have done, much more advanced attacks, by the way. We got to stop right here and start doing some demonstrations.
First, we jumped from compiled, dropped-on-disk, natively compiled malware into obfuscated malware, right? So I already showed you static code for the AMSI bypasses. And I’ve yet to show you the dynamic debug code. So, we’ll show you how to do a software breakpoint in C#/.NET because we used DynamicInvoke to call native shellcode from a higher-level language. And it’s important that you don’t add additional lines below your DynamicInvoke call. Does that make sense? Otherwise, you do have a detectable signature. But debugging a native shellcode runner by itself does not trigger detection.
Two, we need to give you a static observation of how ‘Globex Gate’ actually works. So, I’m gonna have to spin up another machine. Some antivirus software trials have the ability to detect injection attempts or to flag on specific syscalls. I believe it’s called BitDefender; the trial version works, or you can get the Pro version and it will stop injection attempts. And we’re gonna show you how to bypass that without using Sector7 content.
Because the key difference between Globex Gate and other gate methods is that you need to be able to reverse engineer your payloads. If you didn’t write the payload yourself and it’s abstracted away—like a Cobalt Strike beacon, which is commercial source code—then you need a means to find those API calls besides just doing static analysis (like dumpbin /imports), because there are more API calls that can be loaded through GetProcAddress, wrapped around GetModuleHandle or LoadLibrary, for example. So we need several steps, and the best way that we can do this is using Tiny Tracer, which is an Intel Pin tool.