No products in the cart.
Introducing FalconZero v1.0 - a stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) to the host machine undetected - first public release version Loader/Dropper of the FALCONSTRIKE project
Features
- Dynamic shellcode execution
- Usage of Github as the payload storage area - the payload is fetched from Github
- Targeted implant Loader - only execute on targeted assets - thwart automated malware analysis and hinder reverse engineering on non-targeted assets
- Killdates - implant expires after a specific date
- Stealthy shellcode injection technique without allocating RWX memory pages in victim process to evade AV/EDRs - currently injects to
explorer.exe - Sensitive strings encrypted using XOR
Payload Compatibility
And support for many more...
The ones mentioned in the list are the ones verified by the testing team.
Usage
There are many hard things in life but generating an implant shouldn't be one. This is the reason the generate_implant.pyscript has been created to make your life a breeze. The process is as simple as:
First generate your shellcode as a hex string
Upload it on Github and copy the Github raw URL
For testing(MessageBox shellcode): https://raw.githubusercontent.com/slaeryan/DigitalOceanTest/master/messagebox_shellcode_hex_32.txt
git clone https://github.com/slaeryan/FALCONSTRIKE.git
cd FALCONSTRIKE
pip3 install -r requirements.txt
python3 generate_implant.py
Follow the on-screen instructions and you'll find the output in bin the directory if everything goes well.
AV Scan of FalconZero implant
TO-DO
This is an alpha release version and depending on the response many more upgrades to existing functionalities are coming soon.
Some of them are:
- Integrate various Sandbox detection algorithms
- Integrate support for more stealthy shellcode injection techniques
- Integrate function obfuscation to make it stealthier
- Include a network component to callback to a C2 when a Stage-2 payload is released or to change targets/payloads and configure other options on-the-fly
- Inject to a remote process from where network activity is not unusual for fetching the shellcode - better OPSEC
- Include active hours functionality - Loader becomes active during a specified period of day, etc.
Feel free to communicate any further features that you want to see in the next release. Suggestions for improving existing features are also warmly welcome :)
Author
Upayan (@slaeryan) [slaeryan.github.io]
Author
- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Latest Articles
Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
Blog2022.10.12Vulnerability management with Wazuh open source XDR
Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky
Subscribe
0 Comments
