Earlier in the year, I became somewhat obsessed with decreasing file entropy while obfuscating shellcodes. One of the best resources I found while researching was this blog post by Riley Kidd which got me looking at encoding shellcode as words. So, I automated it and added a few bells and whistles. This blog post will be about the concepts of the technique - not about providing a full, working PoC as I’m working on integrating this functionality into a new release of Metsubushi.

When starting out in defence evasion, one of the first things you learn is the value of even the simplest string obfuscation. Back when a lot of malware was written in C one of the easiest ways to implement this was this pre-processor macros which would run basic XOR operations on string literals. You can see a basic example of that here, albeit they’re using a Caesar cipher.

Unfortunately, for those of us that like to code in Go, it does not have support for pre-processor macros. So what are our options? Obfuscate the strings manually before compiling our tools? That’s a pretty cumbersome workaround. Luckily for us, Go supports metaprogramming, which we can use to facilitate compile-time string obfuscation to get rid of those pesky static signatures.

Recently ShorSec released this amazing blog post which discusses a phishing technique they call “MalRDP” (also known as “Rogue RDP”) in great detail. I decided to experiment with this technique in an Azure environment, and found I could provision the Windows Server instance slightly differently. By removing the WSL steps, and working exclusively inside Windows, it was possible to automate the process (somewhat) with Terraform and Ansible. The Terraform/Ansible project I’ve created will spin up a Windows Server 2022 instance with all the needed tooling and templates to create a Rogue/Mal RDP server “quickly” - roughly 30 minutes accounting for the last few manual configurations.

To paraphrase the biblical texts, “give a man a credential, he’ll pwn for a day; teach a man to phish, he’ll pwn for the rest of his life.” So let’s look at setting up smishing infrastructure with Vonage.