IllusiveFog: Windows Administrator level Implant
IllusiveFog
IllusiveFog is an implant kit for Microsoft Windows-based networks for long-term stealthy access and recon.
IllusiveFog is designed for highly covert & stealthy operations, because of this reason features are kept limited and encryption is used to interact with c2, for every action, there’s a log, thus we’ve applied opsec checks at every interaction between c2 and mother(base implant).
IllusiveFog is made to be highly focused on the base framework itself(communication between mother and c2, opsec checks, and encryption). Techniques such as process injection, shellcode process-injection, or techniques that risk losing opsec are avoided to maintain opsec.
IllusiveFogFeatures/Plugins:
1. Persistence:- Install/Uninstall Persistence on Victim:
-Dll-Hijacking: abuses Loading of missing DLLs(Dynamically Loaded Library) by Windows-Process, which results in Loading of an arbitrary DLL in that process. Loading missing DLLs is a feature, for application-compatibility reasons, these features are exploited for our use.
2: Data-Exfiltration:- Collect data from Victim’s Machine:
-ETW or Event Tracing for Windows is a feature that allows applications to collect logs about processes such as allocation of VADs, heaps, image load, network outgoing & incoming, disk,driver-load,process-creation, debug prints, registry access, and many other useful details. This feature is exploited for vital & rare intelligence about the target. This feature not only allows one in a covert op to collect intelligence without risk of losing opsec but also uses Windows features more covertly.
ETW-Providers subscriptions that enable to collect logs are also used by sysmon and Windows Defender (also known as ETW provider: Microsoft-Windows-Thread-Intelligence), mainly subscription to these ETW-Providers enable them to collect logs about malicious activity, these ETW-Providers can be disabled so that windows-defender or sysmon will not receive any events about the process. Our research on usage and interaction between AV and ETW providers is in progress in order to subvert these features for our benefit. Customers can expect updates on the ETW plugin.
3: Payload Loading:- Inject Shellcode or Load a staged Payload on Victim Machine:
-In any stealthy Operation need for using staged payload such as execution of raw byte-code(shell-code) or in memory execution of DLL (Dynamically Loaded Libraries) or PE (Portable Executable) may arise, however we do not recommend
as it risks losing OpSec.many memory resident artifacts are left due to this.
In case of shellcode execution you may choose NO-RWX Plugin as it does not allocate Read-Write-Executable pages In-Memory. Note that except for staging of DLL or PE, shellcodes are executed in IllusiveFog’s process as it’s much safer
to just receive a small peice of byte-code for execution rather than loading a huge blob of RWX paged memory.
NOTE: shellcode MUST be FUD(Fully Un-detectable) as IllusiveFog will load it rather than staging it.
4: Shell:
– EVTX is the format of log record files which are placed in the directory: “C:\Windows\System32\winevt\Logs”, this plugin is responsible for clearing and event for a given EventRecordID, these event log files that contain Events are responsible for growing up a stack of events, all event logs are collected in one file which poses threat to tampering EVTX files itself.
A Read/Write handle to these EVTX files is taken to tamper these files. In order to cleanly remove certain events, events are first exported and then replaced in memory with EVTX files. WARNING: there may be behavioral detections for referencing handles to EVTX files in modern EDRs. Thus in the future, a seperate EVTX parser will be provided which will be a kernel-mode module
7: SelfSocks:socks5-Proxy
-Victim’s Machine is turned into socks5-proxy-server in-order pivot through Victim’s Machine or pass current network traffic to Victim’s Machine. WARNING: opening of port notification by the firewall may appear, to mitigate this in the future support for open-ssl certificates will be provided.