The application works without introducing code into other people’s processes, which in turn is a unique difference compared to other similar products on the market. By creating a non-visible copy of the browser for the user, Godzilla Loader does all the work with the network in the context of a trusted browser process without introducing its code. The application saves to disk and launches all downloaded files, after which it is deleted.
The control panel allows you to distribute tasks and keep statistics in real time by indentation, geographical coordinates(on the map), countries, operating systems, OS architecture, time and quantity.
*The Godzilla Loader control panel backend is written in PHP and MySQL, the frontend is on Twitter Bootstrap, jQuery, and RaphaelJS.
Minimum system requirements for a botnet in 20-30K:
Linux VDS, 512 GB RAM, 1 Core
PHP version 5 and above
MySQL version 5 and higher
The PHP OpenSSL extension
How it works:
Godzilla Loader is written in MSVisual C ++ 2010, without the use of ATL / MFC and third-party libraries. The lines are encrypted and generated dynamically, at runtime.
The PE file contains two sections, a code section, and an import section. It has normal entropy, does not contain TLS-coils, relocations. Has no protection from reverse, virtualization.
Downloading files The files are
downloaded on the IWebBrowser COM interface. After startup, it creates a window with the size 0x0 pixels (not visible to the user) to which it “attaches” the IWebBrowser interface in the context of the local server. In the future, work with the network, goes to the trusted process dllhost.exe with the digital signature of Microsoft. Such a simple trick, allows you to bypass the protection system and at the same time remain legitimate for most types of AV protection. This is not a bug, but the provided feature of the Windows operating system.
Running EXE / DLL
Running exe programs is done using the IShellDispatch COM interface, in the context of the local server, from the trusted process dllhost.exe. EXE runs in this case with the rights of the current user. To run with administrator rights, see bypassing UAC.
DLLs start in the loader process memory, without saving the local copy to disk.
AutoPlay in Godzilla is made without using the registry, dll reset to itp disk. First of all, a shortcut is created in the autorun folder (CSIDL_STARTUP) on the file that does not exist yet. The COM interface of IPersistFile is used in the context of the local server, as well as when downloading files – on behalf of the trusted process dllhost.exe. Thus, even if the antivirus has a desire to verify that it is located along the path indicated in the startup shortcut, there will still be nothing. The media file, in a random period of time, is stored in the Program Files if there are enough rights, if not enough, in the current user’s directory. Running and checking for new tasks occurs once after the system restart.
Privilege enhancement / Bypassing UAC
Bypassing UAC is done without flushing files to disk, without introducing code into other processes. The technique of registry hijacking is used, the value in HKEY_CURRENT_USER is substituted.
Run “Event Viewer” (eventvwr.exe, digitally signed by Microsoft), start the desired exe and clear the changes you made to the HKCU.
The workaround is checked and works on Windows 7-10, x32-x64.
The user must be a member of the local administrator’s group.
Support for * .bit domains
First of all, I was able to run nslookup (a standard utility in Windows, have an AV trust and a certificate from Microsoft) from the trusted process dllhost.exe, using IShellDispatch to distract attention, gets a list of IP addresses referenced by * .bit domain. BIT-DNS servers are sewn into the bot. If none of the BIT-DNS servers wired into the bot is available, then the list of public BIT-DNS servers is retrieved using IWebBrowser in the context of the local server to bypass the AV protection.
After obtaining the IP-address, which hosts the C & C server, it can perform all requests directly through the IP address.
There are no reviews yet.
Be the first to review “Godzilla Loader” Cancel reply
You must be logged in to post a review.
Written on pure C and WinAPI, without the use of ATL / MFC and third-party libraries;
Uncompressed size EXE with full functionality: ~ 12 KB is not a resident, ~ 15 KB resident;
Bypassing most types of AV protection: Low IL, HIPS;
Raising privileges to SYSTEM;
Execute the DLL in the loader process memory, without saving to disk;
Running the drivers;
Checking the C & C server manager using the server response signature RSA;
Deleting shadow copies and Windows recovery points;
Support for * .bit domains;
Statistics in real time, without the need to update the page;
Distribution of tasks by country, time, operating systems, OS architecture, quantity;
Statistics by geographical coordinates, time, versions of operating systems, indenting, online for a day, a week;
Localization of the interface in Russian and English;
Night / day theme for convenient use at any time of day;
Guest statistics on the token;
The possibility of automatic (by crown) / manual update EXE in the control panel;