IllusiveFog: Windows Administrator level Implant

IllusiveFog is designed for highly covert & stealthy operations, because of this reason features are kept limited and encryption is used to interact with c2, for every action, there’s a log, thus we’ve applied opsec checks at every interaction between c2 and mother(base implant).

IllusiveFog is made to be highly focused on the base framework itself(communication between mother and c2, opsec checks, and encryption). Techniques such as process injection, shellcode process-injection, or techniques that risk losing opsec are avoided to maintain opsec.

IllusiveFogFeatures/Plugins:

1. Persistence:- Install/Uninstall Persistence on Victim:

-Dll-Hijacking: abuses Loading of missing DLLs(Dynamically Loaded Library) by Windows-Process, which results in Loading of an arbitrary DLL in that process. Loading missing DLLs is a feature, for application-compatibility reasons, these features are exploited for our use.

2: Data-Exfiltration:- Collect data from Victim’s Machine:

-ETW or Event Tracing for Windows is a feature that allows applications to collect logs about processes such as allocation of VADs, heaps, image load, network outgoing & incoming, disk,driver-load,process-creation, debug prints, registry access, and many other useful details. This feature is exploited for vital & rare intelligence about the target. This feature not only allows one in a covert op to collect intelligence without risk of losing opsec but also uses Windows features more covertly.

ETW-Providers subscriptions that enable to collect logs are also used by sysmon and Windows Defender (also known as ETW provider: Microsoft-Windows-Thread-Intelligence), mainly subscription to these ETW-Providers enable them to collect logs about malicious activity, these ETW-Providers can be disabled so that windows-defender or sysmon will not receive any events about the process. Our research on usage and interaction between AV and ETW providers is in progress in order to subvert these features for our benefit. Customers can expect updates on the ETW plugin.

3: Payload Loading:- Inject Shellcode or Load a staged Payload on Victim Machine:

-In any stealthy Operation need for using staged payload such as execution of raw byte-code(shell-code) or in memory execution of DLL (Dynamically Loaded Libraries) or PE (Portable Executable) may arise, however we do not recommend
as it risks losing OpSec.many memory resident artifacts are left due to this.

In case of shellcode execution you may choose NO-RWX Plugin as it does not allocate Read-Write-Executable pages In-Memory. Note that except for staging of DLL or PE, shellcodes are executed in IllusiveFog’s process as it’s much safer
to just receive a small peice of byte-code for execution rather than loading a huge blob of RWX paged memory.

NOTE: shellcode MUST be FUD(Fully Un-detectable) as IllusiveFog will load it rather than staging it.

4: Shell: