Fene is a C# loader generator.

It takes x86 Cobalt Strike shellcode, and AES encypts it to a random encyrption key which is hardcoded. Following this the assembly is further encrypted (using a C# stub) which is keyed to an enviromental variable.

Fene also allows for the encryption of both HTTPS and DNS shellcode. When this option is selected, both types of shellcode will be stored in the binary, and a HTTP connectivity check will be conducted to when the assembly runs to inject the relevant shellcode with HTTPS being preferred. When both shellcodes are selected, the binary also takes command line arguements to select which shellcode to run (e.g. evil.exe dns, or evil.exe http).

Fene has a number of other features. When the final assembly is generated an obfuscation process occures, and some anti debugging features are implemented.

A basic persistence option can also be selected where the assembly is added to the Registry to run on start up.

Finally the generated assembly will work with InstallUtil.exe's uninstall arguement to evade application whitelisting.

In terms of anti-virus checks, the final assembly successfully bypasses tested vendors.

Use Cases

Phishing

If you are performing a Red Team using a Word/Excel Marco you can implement the downloading of the binary via Domain Fronting using wininet.dll (blog post coming shortly), environmentally key the execution of the download function (basic overview here), enumerate the location of InstallUtil (VBA.net function here), and download and run the assembly using InstallUtil.exe's uninstall flag which in turn is environmentally keyed. When the assembly is run, it will attempt to connect back to the HTTPS C2, if successful it injects HTTPS shellcode, otherwise it falls back to DNS shellcode. Additionally if the persistence is selected the assembly is run on start up.

Lateral Movement

Once you have established a foothold and are seeking to pivot inside the internal network, you can generate a Fene assembly in a number of ways. It can contain both HTTPS and DNS shellcode, allowing you to select on the command line which shellcode to inject into memory once copied and run on another host. Alternatively you can key the assembly to that specific Hostname, or User so that your assembly only runs on that host. Furthermore once you have keyed the assembly containing both HTTP and DNS shellcode, you can use InstallUtil.exe to run the assembly and allow it to find its own way out. Lastly you can add persistence using the Registry to run at start up.

Fene will be further developed to allow for additional persistence methods, additional application whitelisting bypass methods, and eventually a portable C++ binary will be possible to generate.

Use

To coincide with the release of our training course around Advanced Red Team Phishing, Fene will be released on Github. In the course the tool will be introduced and how to take it further to incorporate other features will taught.