Hackers of India

DarkWidow: Customizable Dropper Tool Targeting Windows

By  Soumyanil Biswas  on 12 Dec 2024 @ Blackhat : Arsenal

This Tool Demo covers following tools where the speaker has contributed or authored
DARKWIDOW

Abstract

This is a customizable Dropper Tool targeting Windows machines.

The capabilities it possesses are:

  1. Indirect Dynamic Syscall
  2. SSN + Syscall address sorting via Modified TartarusGate approach
  3. Remote Process Injection via APC Early Bird (MITRE ATT&CK TTP: T1055.004) to cut off telemetry catching by EDR
  4. Spawns a sacrificial Process as the target process
  5. ACG(Arbitrary Code Guard)/BlockDll mitigation policy on spawned process
  6. PPID spoofing (MITRE ATT&CK TTP: T1134.004)
  7. Api resolving from TIB (Directly via offset (from TIB) -> TEB -> PEB -> resolve Nt Api) (MITRE ATT&CK TTP: T1106)
  8. Cursed Nt API/ Dll hashing
  9. If blessed with Admin privilege: Disables Event Log via killing all threads of svchost.exe, i.e. killing the whole process (responsible svchost.exe)
  10. Synthetic Frame Thread Stack Spoofing

This tool performed a successful Execution of payload and provided Crystal clear Event Log against Sophos XDR enabled Environment.