Venom Amsi Evasion agent nº5 (PDF Trojan)
Module:venom => Categorie nº8 (Amsi Evasion) => Agent nº5 (PDF Trojan)
This Venom module will ask the attacker to insert a PDF document, creates a C program that will be compiled with the help
of GCC (mingw32) into a binary.exe where is main task its to download and run the attacker Legitimate PDF document and
the Client.exe (reverse tcp shell) from attacker's apache2 webserver. Using for that the Remote-Host PowerShell interpreter.
This module was created to allow the attacker to deliver a binary.exe disguised as a PDF document. for this effect,
venom uses wine32 + ResourceHacker.exe to be able to replace the binary.exe icon to match a pdf document icon.
'For when the target executes the dropper..To download/run the pdf and to download/run the Client.exe (in background)'
[1] - GCC (mingw32 or mingw-w64) Manual Install
[2] - Wine (32-bit) Install - Mandatory
[3] - ResourceHacker Install (x86|x64)
[4] - Credits Special Thanks
[5] - Report Issues
Remark: Venom does not stop the Client.exe (process) on target-Host remotely, we need to do it manually ..
I have named the Client description field to: Cumulative Security Update KB4524147 (client) for easy find in TaskManager.
Description: GCC (mingw32 or mingw-w64) its required for venom to be able to compile the dropper.c into one binary.exe
Remark: Chose the rigth command based on your system architecture in use (x86 OR x64) OR based on venom settings file
Remark: Further information about this topic can be found here
x86 (32-bit) Architectures:
- Install mingw32
sudo apt-get update && apt-get install mingw32 -y
x64 (64-bit) Architectures:
- Install mingw-W64
-
Remark: Remmenber that if target OS its x86 (32-bit) then the dropper.exe
will not execute if compiled with x64 mingw-W64 library (non compatible architecture)
-
Remark: Remmenber that if target OS its x86 (32-bit) then the dropper.exe
sudo apt-get update && apt-get install mingw-w64 -y
Description: Wine (32-bit) its required for venom to be able to execute the Server.exe thats going to recive the tcp connection
Remark: venom requires the use of wine (32-bit) because the Server/Client are x86 (32-bit) architecture compiled binarys
x86 (32-bit) Architectures:
- Install Wine
sudo apt-get update && apt-get install wine
winecfg
- Install wine-mono
cd venom/bin
wget https://dl.winehq.org/wine/wine-mono/4.9.4/wine-mono-4.9.4.msi
wine msiexec /i wine-mono-4.9.4.msi
x64 (64-bit) Architectures:
- Install Wine
sudo apt-get update && apt-get install wine
winecfg
- install wine32 in x64 architectures systems
sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get -y dist-upgrade --allow-downgrades
sudo apt-get install -y wine wine32:i386 wine64 libwine libwine:i386 fonts-wine winbind winetricks
- Config wine to use 32-bit applications
| syntax | description |
|---|---|
| WINEARCH=win32 | Wine will start a 64-bit environment by default. You can change this behavior (to 32-bit) using the WINEARCH environment variable. You can combine this with WINEPREFIX to make a separate win32 and win64 environment ( wine multi-arch support ) |
| WINEPREFIX=/root/.wine | By default, Wine stores its config files and installed Windows programs in /root/.wineunder Kali linux distributions. But You can override the location Wine uses for a prefix with the WINEPREFIX environment variable. ( if you wish to install it on a diferent location. ) |
| winecfg | Winecfg is a GUI configuration tool for Wine, designed to make life a little easier than editing the wine registry. |
if [ ! -d "/run/user/0/" ]; then sudo mkdir -p /run/user/0/;fi
sudo WINEARCH=win32 WINEPREFIX=/root/.wine32 winecfg
cd venom/bin
wget https://dl.winehq.org/wine/wine-mono/4.9.4/wine-mono-4.9.4.msi
wine msiexec /i wine-mono-4.9.4.msi
How to revert wine32 (32-bit) to use x64 (64-bit) architecture again ❓
-
Remark: In x64 architectures Venom framework will auto-revert
wine32arch settings set by this module to work
to previous state (system default) after have finished is job (revert wine32 => wine64) using the follow command:
sudo WINEARCH=win64 WINEPREFIX=/root/.wine winecfg
Description: ResourceHacker.exe its required for venom to be able to replace the dropper.exe icon for one pdf icon.
Remark: Install ResourceHacker under: wine Program Files folder .. do NOT install it on: Program Files (x86)
Remark: RH venom default (x86) install: /root/.wine/drive_c/Program Files/Resource Hacker/ResourceHacker.exe
Remark: RH venom default (x64) install: /root/.wine32/drive_c/Program Files/Resource Hacker/ResourceHacker.exe
- Install ResourceHacker
cd venom/bin
wine reshacker_setup.exe
If you are facing installation issues, than as last resource users can edit venom.sh script to better config the toolkit.
| Name | Job |
|---|---|
| Shanty Damayanti (my geek wife) | for having 'commissioned' me this service (pdf trojan) |
| @codings9 | for helping me debug PDF Trojan Server\Client execution on linux x64 system |