Golang Virus Example

ExfilDocs
Searches drive for specific file extensions
Uploads files to C2 via SSH
Outlook Exfil
Asks for Outlook Credentials
Authenticates via IMAP, searches attachments and uploads files to C2 via SSH TO DO: Fix Windows Compilation
Screen Shotter
Uploads screenshot every 20 seconds to C2 via SSH
Dropper
Hosts 3 files, downloads them from itself then executes them.

[ GitHub ]


Process Injection Techniques with Golang
[ GitHub ]


Proof of concept SMB C2 using named pipes in Golang
[ GitHub ]


DLL creation and injection with Golang
[ Medium ]

ColdFire II(Golang malware development library)
[ GitHub ]


A POC Windows crypto-ransomware (Academic). Now Ransom:Win32/MauriCrypt.MK!MTB
[ GitHub ]


Windows Botnet written in Golang
[ GitHub ]



@source_byte

#malware_dev #go

TrollUAC

• .NET library that serves as a UAC bypass for x64
• Any* process with the uiAccess flag enabled can "Send Keystrokes" to high integrity processes even from medium integrity
• We steal the token of On Screen Keyboard (uiAccess enabled) to spawn a new process that does GUI automation
• The GUI automation simply sends keystrokes to taskmgr (auto elevate) to spawn our new desired process in high integrity
• *Refer to tiraniddo's article for requirements, although they can easily be conjured up

Zero EAT touch way to retrieve function addresses (GetProcAddress on steroids)
[ GitHub ]

#malware_dev
#windows

Unorthodox and stealthy way to inject a DLL into the explorer using icons
[ GitHub ]


@source_byte
#malware_dev
#windows

Malware for education

Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing

https://github.com/reveng007/DarkWidow.git

Honourable Mentions:
BlackHat Asia, 2024 - Call For Tools
BlackHat USA, 2024 - Call For Tools


@source_byte
#malware_dev
#windows

🦀 | RustRedOps is a repository dedicated to gathering and sharing advanced techniques and offensive malware for Red Team, with a specific focus on the Rust programming language.
https://github.com/joaoviictorti/RustRedOps.git


@source_byte
#malware_dev #rust

Writing an Independent Malware

There’s no greater feeling when the malware (or any project/tool) you’re developing works as expected. Until suddenly you realized it only works on your dev machine but not on any other machine.

https://captmeelo.com//redteam/maldev/2022/10/17/independent-malware.html

@source_byte
#malware_dev #compile

We have many people asking us how to begin their journey into malware development. Here is a step by step guide to get started!

1. Stop asking how to get started
2. Learn to code (NOT PYTHON)
3. Do something
4. Expect failure

Have a nice day.

VOID MANTICORE DESTRUCTIVE ACTIVITIES IN ISRAEL

Void Manticore (aka Storm-842) is an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS). They carry out destructive wiping attacks combined with influence operations.

(Checkpoint Report)
Research

Explain about:
Liontail framework


@source_byte
#APT #Ti

Below is an example of how you can use the Windows API in C++ to create a communication channel with http.sys. This example demonstrates how to set up a simple HTTP server using the HTTP Server API:

#include <windows.h>
#include <http.h>

#pragma comment(lib, "httpapi.lib")

int main()
{
    ULONG retCode = NO_ERROR;
    HTTPAPI_VERSION HttpApiVersion = HTTPAPI_VERSION_2;
    HTTP_SERVER_SESSION_ID sessId = NULL;
    HTTP_URL_GROUP_ID groupId = NULL;
    HTTP_REQUEST_ID requestId = NULL;
    HTTP_SERVER_CONTEXT context = 0;

    // Initialize HTTP Server APIs
    retCode = HttpInitialize(HttpApiVersion, HTTP_INITIALIZE_SERVER, NULL);
    if (retCode != NO_ERROR) return retCode;

    // Create a server session
    retCode = HttpCreateServerSession(HttpApiVersion, &sessId, 0);
    if (retCode != NO_ERROR) goto cleanup;

    // Create a URL group
    retCode = HttpCreateUrlGroup(sessId, &groupId, 0);
    if (retCode != NO_ERROR) goto cleanup;

    // Add a URL to the URL group
    PCWSTR pFullyQualifiedUrl = L"http://localhost:8080/";
    retCode = HttpAddUrlToUrlGroup(groupId, pFullyQualifiedUrl, context, 0);
    if (retCode != NO_ERROR) goto cleanup;

    // Your code to handle requests here
    // ...

cleanup:
    // Clean up in case of failure or after serving requests
    if (groupId != NULL) {
        HttpRemoveUrlFromUrlGroup(groupId, pFullyQualifiedUrl, 0);
        HttpCloseUrlGroup(groupId);
    }
    if (sessId != NULL) {
        HttpCloseServerSession(sessId);
    }
    HttpTerminate(HTTP_INITIALIZE_SERVER, NULL);

    return retCode;
}

This code initializes the HTTP service, creates a server session, sets up a URL group, and adds a URL to the group. You would need to add your own code to handle the HTTP requests.

Please note that this is a simplified example and does not include error handling or request processing logic. For a complete implementation, you would need to handle incoming HTTP requests and send appropriate responses. You can find more detailed information and examples in the [Microsoft documentation].

Initialization: The malware first initializes itself upon execution. This may involve setting up hooks or modifying system settings to intercept and handle HTTP requests.

Registration with HTTP.sys: The malware registers itself with HTTP.sys to intercept incoming HTTP requests. This can be achieved by configuring HTTP.sys to route specific URL patterns or by modifying the HTTP request handling process within the system

Listening for Commands: The malware continuously monitors incoming HTTP requests handled by HTTP.sys. It parses incoming requests to identify commands or instructions from the C2 server. These commands may be embedded within specific headers, parameters, or payloads of HTTP requests.


Executing Commands: Upon receiving valid commands from the C2 server, the malware executes the specified actions. These actions may include downloading and executing additional payloads, exfiltrating sensitive data, or performing system reconnaissance.

Sending Responses: After executing commands, the malware may generate responses or status updates to send back to the C2 server. These responses can be embedded within HTTP responses or sent as separate HTTP requests to a predefined endpoint on the C2 server.


Data Exfiltration: In addition to receiving commands, the malware may use the established communication channel to exfiltrate stolen data to the C2 server. This can include sensitive information such as credentials, files, or system information.

Using the WinHTTP C/C++ API - Win32 apps | Microsoft Learn.

c++ - HTTP client example on win32 - Stack Overflow.

c++ - Communication between two windows created using TCP Sockets ....

https://github.com/pedro-vicente/lib_netsockets.

@source_byte
#malware_dev
#windows

🟣 ساخت KeyLogger ویندوزی با استفاده از GetAsyncKeyState

یکی از روش های مرسوم و اولیه برای پیاده سازی کیلاگر ها در ویندوز استفاده از تابع GetAsyncKeyState در Windows API است . به وسیله این تابع میتوان چک کرد آیا یک کلید مدنظر روی صفحه کلید در حال حاضر فشرده شده است یا نه . در این ویدیو میبینیم چطور میتونیم به وسیله این تابع یک کیلاگر ویندوزی پیاده سازی کنیم که به صورت مخفی در پس زمینه اجرا شده و کلید های ضبط شده را در یک فایل ذخیره کند .

Aparat : https://www.aparat.com/v/h29Cp

#توسعه_بدافزار

🆔 : @mrpythonblog

Here is some code that was written about a year for a project for vx-underground. However, due to various reasons, the code is being publicly released.

tl;dr recursive loader, painful to reverse engineer

Explanation of code:
The following code is inspired by APT Linux/Kobalos. Kobalos was malware, suspected to be tied to the Chinese government, which was fully recursive. It was novel malware.

Following this inspiration, an x64 recursive loader was developed for Windows 10 and Windows 11. When compiled the binary has no entries in the IAT. The binary resolves all APIs via NTDLL. Additional libraries are loaded via LdrLoadDll.

The code recursively calls itself to execute functions. It determines which portion of code to execute using a flag (an enum). Each 'function' is encapsulated in a switch statement. All variables are recursively passed using the 'VARIABLE_TABLE' structure. The VARIABLE_TABLE also contains further nested structures for handling API function resolving, initializing COM objects and associated classes, and data structures for some 'switch functions' which may require additional variables for tasks.

To avoid the compiler optimizing code and introducing functions into the IAT, some STDIO functionality such as ZeroMemory have been re-written in more unorthodox methods.

HTTPS requests are handled by COM via the WinHttpRequest Object.

The code basically downloads a binary from vx-underground and executes it. Currently the code will not work because the executable hosted on vx-underground for the proof-of-concept is no longer there – although it was just a copy cmd.exe.

Code may have some bugs. It can be improved upon by introducing pseudo-polymorphism by 'scrambling' the order of switch statements and enum values on each build.

Code written by smelly

You can checkout Win32.RecursiveLoader.b here: https://pastebin.com/HSTS2zwL

x64 WINAPI Recursive Loader W No Imports.c

obfuscating c2 during a red-team engagement(harden your C2 server)
Jumpsec

#c2

Im going to sleep! 2000’s

🔥List of best security channels on telegram:
https://news.1rj.ru/str/addlist/RPL2r4B8flEyOTI0

If you think that i missed a good channel tell me! -> @Ke3rNel