Hi there,

This is Dimitrios Bougioukas, Director of IT Security Training Services at eLearnSecurity.

Our series of (red and blue team) posts continues with the third entry of the Red Team Diary. Everything you will read below is part of our Penetration Testing eXtreme course. A course oriented solely towards red team operations.

In this post I will demonstrate how you can develop your own custom malware that establishes a shell through the target’s browser. We chose to abuse the target’s browser so that any traffic back to us will look like legitimate web page browsing.

During our custom malware development activities we will repurpose BeEF’s bind shellcode, modify BeEF’s (0.4.7.0-alpha) backend and also leverage AutoIt.

BeEF Bind Shellcode Background

BeEF’s bind shellcode is used to establish a shell through a target’s browser. It was originally created for inter-protocol exploitation scenarios. This means the target should not only have specific software installed (where BeEF’s bind shellcode exploits apply) but he/she should also install a malicious browser extension, which would bypass port banning, among other things. Too many requirements …

The attack’s stager and stage payload are contained into BeEF’s Eudora Mail 3 and Active Fax 5.01 exploits.

Our Version of the Attack

We will modify BeEF’s Eudora Mail 3 exploit and create a variation of this attack, which applies on all social engineering cases and doesn’t require any installed software or browser extension from the target. We will actually create and send a malicious executable that will inject the attack’s stager into the target’s memory. Then, we will manually send the attack’s stage payload, using BeEF.

This way, we free ourselves from the requirement of specific software and a browser extension being installed on the target. Note that everything will occur from a single attack vector.

All the attack stages are depicted in the following diagram.

Our custom malware will perform the below steps:

[3a] Spawn a hidden Firefox instance that will automatically visit an attacker-controlled web page serving BeEF’s hook.

[3b] Fetch BeEF’s bind shellcode from a remote attacker-controlled resource and inject it into the target’s memory (the selected port is now bound)

[4] Receive the stage payload (sent by the attacker) through the (hidden) hooked browser

[5] Receive commands to be executed and send their result through the (hidden) hooked browser

Let’s start developing our malware…