Development Environment Prep – We start by building multiple development environments (within virtual machines) for writing malware. We discuss the different tools, languages, and operating system configurations that our malware developers use when writing code and then set them up in our virtual machines.
Malware/Campaign Goals – When writing phishing malware, we typically have one of two goals: harvest credentials from our victim or execute arbitrary code on their workstation.
Credential Harvesting – Harvesting account credentials can be very dependent upon the type of services your target has publicly available. Is there a VPN portal, outlook web access, HR self-service portal, Citrix access? Ultimately, your goal is to entice the user to enter their credentials into a web form that securely saves their information and possibly their multi-factor token. We’ll look at both custom code and existing open source tooling which helps to accomplish this objective.
Arbitrary Code Execution – Code execution typically will result in a Meterpreter or Cobalt Strike Beacon connecting back to your command and control servers when your attack vector is executed by the targeted employee. To accomplish the code execution objective, we discuss and customize browser-based attacks that attackers use to accomplish this objective.
Code Execution Deep Dive – After looking at examples of how attackers can leverage web browsers to execute code on their target’s systems, we do a deep-dive into different methods of customizing code execution malware.
Process Injection Techniques – There are many ways that an attacker can inject code not only into its current process, but also other processes that are running on the targeted system. We discuss the pros and cons of injecting into remote processes and walk through the different API calls that enable these capabilities.
DotNetToJScript – The tool DotNetToJScript has changed how the industry writes phishing malware. It has extended the functionality of “low capability” browser-compatible languages to match that of fully functional development languages. We walk through how you can use different process injection techniques within a browser-based attack with DotNetToJScript.
Code Protection/Targeted Malware – Why spend all that time writing your own malware with the latest techniques available to let anyone arbitrarily run it and possibly write detections for it? You’re going to learn multiple techniques to not only attempt to prevent your code from running in any form of a sandbox, but also how to ensure your malware only runs on the system(s) you are targeting.
At the conclusion of the class, students will have a strong understanding of different techniques used by modern attackers in phishing attacks. Additionally, all students will have learned various methods to extend basic phishing attacks to include process injection techniques that are used to avoid detection.