№4. Ethical Hacking Labs. Malicious software

12 April 2023 11 minutes Author: Endpool

Understanding and preventing malware

Malware is a type of software designed to harm, use, or gain unauthorized control over a computer system. It can include viruses, trojans, worms, spyware, ransomware, and other types of malware. Malware can cause a variety of problems, including data theft, system crashes, and significant financial losses. To protect computer systems from potential threats, it is important to have a solid anti-malware strategy. Malware is a significant threat to computer systems that can lead to data theft, system crashes, and financial losses. It includes various malicious programs such as viruses, trojans, and ransomware. A strong anti-malware strategy, including software and employee training, is critical to preventing or mitigating malware attacks.Malicious software, or malicious software, is a type of program designed to harm computer systems, steal sensitive data, or gain unauthorized access. It can be distributed in a variety of ways, such as email attachments, downloads, or social engineering tactics.

Malware can take many forms, including viruses, worms, trojans, spyware, adware, and more. These malware can have a devastating impact on businesses and individuals, resulting in data loss, system downtime and financial losses. It’s important to have a reliable and up-to-date anti-malware solution and train employees on best practices to prevent malware attacks.

njRAT – Remote Access Trojan

njRAT — is a RAT with powerful data-stealing capabilities. In addition to login keystrokes, it is capable of accessing the victim’s camera, stealing credentials stored in browsers, downloading and uploading files, executing processes and file manipulations, and viewing the victim’s desktop. RATs help an attacker gain remote access to a full GUI, control the victim’s computer without his or her knowledge, and are capable of performing camera screening and capture, code execution, keylogging, file access, password capture, registry manipulation, and more. It infects victims through phishing attacks and drives via downloads and spreads via infected USB keys or network drives. It can download and run additional malware, execute shell commands, read and write registry keys, take screenshots, log keystrokes, and spy on webcams. The njRAT Trojan can be used to control botnets (a network of computers) by allowing an attacker to update, remove, disconnect, restart, close the RAT, and rename its company ID. An attacker can additionally create and configure malware to distribute via USB drives using the Command and Control server software.

Objectives:

Create a server with njRAT. Remotely access the target machine.

Props:

Windows 10 (criminal). Windows 7, 8 or Server (Target).

Create an executable server using njRAT

Log into Windows 10 and install njRAT. Run njRAT, a GUI will appear and a pop-up window will appear asking you to specify the port you want to use to communicate with the target machine. Use the default port number 5552 and click Start.

Click “Designer” in the lower left corner.

In the Builder dialog box, enter the IP address of the attacker’s computer – Windows 10, check the Copy to StartUp and Registry StarUp options, and then click Build as shown below:

Save the file and name it as Example.exe. Now we need to use any technique to send this server to the desired destination by mail or any other means. To make this lab easier, I copied the Example.exe file to a network share.

Start the server on the target machine

In this lab, I am using a Windows 7 SP1 virtual machine.Note. Be sure to enable the firewall on the target machine. Drag the Example.exe file to the desktop and double-click it. As you can see below, the connection was successfully established.

Go back to Windows 10 (hacker). When the target double-clicks the server, the executable starts and the njRAT GUI running on Windows 10 establishes a persistent connection with the target machine as shown below: The GUI displays basic machine details such as IP address , OS.

Manipulating files on the target machine

Right-click on the detected target machine and select Manager. Double-click any directory in the left pane. You can right-click any selected directory and control it using context-sensitive options:


Manage processes

Click on Process Manager from the top menu. You will be redirected to the Process Manager, where you can right-click any process and perform actions such as Kill, Delete, and Restart.

Manage connections

Click Connections in the top menu and select a specific connection, right-click it and select Close Connection. This action breaks the connection between two machines that are communicating on a specific port.

Manage registries

Click “Registry” in the top menu and select the registry in the left panel, right-click the related registry files, several options will appear to manage them.

Start Remote Shell

Click Remote Shell in the top menu. This action starts a remote command prompt on the target machine.

Run the file

In the njRAT main window, right-click on the target machine and select “Run File”. An attacker uses these settings to remotely execute scripts or files from their computer.

Start a remote desktop connection

Right-click on the target machine and select Remote Desktop Connection. This initiates a remote desktop connection without the consent of the target computer. You will be able to remotely interact with the victim machine using a mouse or keyboard. In the same way, you can choose the remote camera and microphone to follow the target and monitor the voice conversations.

Perform key registration

Switch to Windows 7 (target machine). Suppose you are a legitimate user and perform some actions like login to any website or typing in some documents. Now go back to Windows 10 machine and right click on the target machine, select Keylogger option. A keyboard spy window will appear showing all keystrokes made by the target.

If the victim to disconnect by rebooting the machine, however, as soon as the victim logs in again, the njRAT client will automatically establish a connection with the victim.

Trojan HTTP RAT

HTTP/HTTPS trojans can bypass any firewall and work as a direct HTTP tunnel, but works the other way around. They use web interfaces and port 80 to gain access. Execution of these Trojans takes place on the internal host and spawns “child programs” at predetermined times. The child program appears to be a firewall user, so it allows the program to access the Internet. However, this child executes a local shell, connects to a web server owned by the attacker on the Internet via a legitimate HTTP request, and sends it a ready signal. A legitimate response from the attacker’s web server is actually a series of commands that the child can execute in the machine’s local shell. Network auditing for HTTP RATs is generally more difficult and important because most firewalls and other perimeter protection devices cannot detect the traffic generated by the HTTP RAT Trojan. Remote Access Trojans (RATs) are malicious programs that run stealthily on a host computer and give attackers remote access and control. A RAT can provide a backdoor for administrative control over a target computer. Once the target system is compromised, an attacker can use it to spread the RAT to other vulnerable computers and create a botnet.

Objectives:

Create a server and run an HTTP Trojan on Windows Server 2012. Run a server from a Windows 10 virtual machine.

Props:

Windows Server 2012 virtual machine (the attacker). Windows 10 Virtual Machine (Target).

Creating a Trojan on Windows Server

Log into Windows Server 2012 and install the HTTP RAT TROJAN tool: (https://anonfile.com/HaT8v9Jbn7/HTTP_RAT_TROJAN_zip). Double click httprat.exe, HTTP RAT main window will appear as below:

Uncheck “Send notifications with IP address to mail”, enter server port 84 and click “Create”.

Once the httpsserver.exe file is created, a pop-up window will appear, click OK and allow the Windows 10 virtual machine to access the file. The file will be saved in the HTTP RAT TROJAN folder as shown below:

Run the Trojan on Windows 10

Now login to Windows 10 and navigate to the location where you saved the httpsserver.exe file. Double-click to launch the Trojan.

You will be able to see the Httpserver process in Task Manager:

Analyze the target machine

Switch back to Windows Server 2012 and start a web browser. Enter the IP address of Windows 10 in the address bar to access the machine.

If everything works, you should get a window like this:

Click the Running Process link to view a list of processes running in Windows 10. You can kill any process from here.

Click Browse and then click Drive C to view the contents of that drive.

Click Computer Information to view information about the computer, users, and hardware.

After that, terminate the Httpserver.exe process in Windows 10.

Trojan obfuscation with SwayzCryptor

SwazCryptor — an encryptor (or “encrypter”) that allows users to encrypt the source code of their application. Crypter is a software used to hide viruses, keyloggers or any RAT tools from antiviruses so that antivirus programs do not detect and remove them. It simply adds hidden values to each individual code in the source code. Thus, the source becomes hidden, making it difficult for AV tools to scan it.

Objectives

How to encrypt a Trojan and make it partially/completely invisible.

Props

Windows 10 virtual machine (attacker). Windows 7 or 8 virtual machine (Target).

Malicious file scanning

Sign in to Windows 10. Launch a web browser and enter the URL: (https://antiscan.me). download the malware file created in the previous lab and run the scanner.

Encrypt a trojan file with SwayzCryptor

Download SwayzCryptor and run the program.

You can easily test if everything works with njRAT, share the malicious file with any Windows VM, run the file with njRAT opened on a Windows 10 machine.

Virtual Malware Analysis Environment

REMnux

REMnux — is a Linux-based toolkit designed for reverse engineering and malware analysis. It contains a set of free and open source tools that can be used for malware inspection and incident response. REMnux is designed to be used in a virtual machine, which helps protect the host system during analysis. It is used by malware analysts, incident responders and other security professionals.

click here

Tsurugi Linux

Tsurugi Linux — is a new heavily customized Linux distribution (first release on November 3, 2018 at the AvTokyo security conference in Japan) based on Ubuntu 16LTS (64-bit with new custom kernel 5.4.2) and designed to support DFIR investigations, malware analysis and OSINT activities.

click here

FLARE VM

FLARE VM — is a free, open-source, Windows-based virtual machine designed for reverse engineering, malware analysis, and threat detection. It comes pre-configured with various tools such as debuggers, disassemblers and decompilers to analyze Windows malware and suspicious files. FLARE VM is maintained by the FireEye Labs Advanced Reverse Engineering (FLARE) team and is regularly updated with the latest analysis tools and plugins.

click here

Windows Tools

ProRat

ProRat — is a remote administration tool written in C and capable of working with all Windows operating systems. ProRat was designed to allow users to control their own computers remotely from other computers. However, attackers used it for their own nefarious purposes. Some hackers take control of remote computer systems to launch a denial-of-service (DoS) attack that renders the target system unavailable for normal personal or business use.


click here

Theef

Theef — is a Windows based client and server application. The Theef server is the virus that you install on the target computer, and the Theef client is what you then use to control the virus. Theef is a remote access trojan written in Delphi that allows attackers to remotely access the system via port 9871.


click here

JPS virus creation tool

JPS Virus Maker — is a computer program that allows users to create their own computer viruses. It is usually used for educational or testing purposes to help users understand the behavior of viruses and how to protect against them. However, the program can also be used for malicious purposes, so you should be careful when using it. Creating and spreading viruses is illegal and can lead to serious consequences.


click here

Regshot

Regshot — is a great utility that you can use to compare the number of registry entries that have been changed during installation or system configuration changes. This is a great tool for troubleshooting and monitoring the registry. The purpose of this software is to compare your registry at two separate points by taking a snapshot of the registry before any system changes or when programs are added, removed, or changed, and then taking a second snapshot after the changes have been made and comparing them.


click here

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.