June 2015 V-Day!

Hello, and welcome to June’s V-Day!

This month, we received a python payload that was created by Alex Rymdeko-Harvey (@Killswitch_GUI)!  This payload works by having the user specify a URL that the payload should beacon back to, and how often it should beacon back.  The following is a step-by-step description of how the module works:

  1. The module will create a web page containing a fake wordpress login.
  2. The fake page will be md5ed, and the hash will be used to encrypt the shellcode stored inside the executable.
  3. Once the executable has been placed on a machine and run, it will beacon to the URL specified looking for the web page.
  4. Once the web server returns a 200, the executable will md5 the web page, and attempt to use that hash to decrypt the shellcode, and execute it in memory.
  5. If the page doesn’t return a 200, the executable will sleep until it’s time to beacon out again.

The nice part about this module is you can choose when your payloads are allowed to execute.  Since no key is stored within the executable, the only time a payload can inject its shellcode is if the page it is beaconing back to is live.

If you want to read more about this, check out the author’s blog post here: http://cybersyndicates.com/2015/06/veil-evasion-aes-encrypted-httpkey-request-module/

Thanks, and enjoy!

Leave a Reply