During my school internship, I was assigned the task of creating a USB Drop attack. Since I had to come up with the specific way the attack would work, I decided to design it so that when the victim connects my USB to a Windows computer, a folder named ‘secrets 2024’ would appear, which might pique the victim’s interest to open it. However, upon opening it, from the victim’s point of view, it might seem like nothing happened, although in reality, my reverse shell would be launched, which would be executed every time the device is turned on, giving me absolute access to the victim’s device. Next, I will explain step by step how the task was created.
First, I created the reverse shell program itself, for which I decided to use C++ with the libraries winsock2.h (for creating the network socket), ws2_32.lib (required for the winsock2.h library), and windows.h (for using the cmd process). The program uses WinMain so that it can be run as a Windows application without opening a console window, as otherwise, it might seem suspicious to the victim that my shortcut opens some cmd window in the background, which the user would likely try to close.
In the code, I first declare my server’s IP address and port so that the victim’s device knows which server and port to connect to. Then, I implement the Windows socket and specify the necessary parameters required for establishing the connection (the server address will use IP and Socket, and the connection will be TCP-based). After that, I create a sockaddr_in struct, which needs to be declared so that the device can use my server’s address.
If the connection is successful, a new process is created that uses cmd.exe (to execute commands on the victim’s device) and std (to input and output data to the server), which then passes the data to the created socket. If the connection fails, the program attempts to re-establish it after 60 seconds.
If this process is successfully created, it remains open until the process is stopped.
The program is complete and everything should work nicely now, right? Actually, Windows Defender detects the program and prevents it from running. To solve this problem, code obfuscation can be used. This is a process where the program’s code is scrambled in such a way that it is difficult for others (including the computer) to read. This technique is good for bypassing antivirus software because it prevents it from understanding what the program does during static analysis.
For code obfuscation, I decided to create a function that would take any string and output this string transformed into a list of integers where the given numbers would be offsets for specific characters from the string. Then, to obtain the original string content, this process could be reversed using a function that does the opposite of what the obfuscation function does.
After that, suspicious strings, the ws2_32.lib library, and its functions that the antivirus might not like can be obfuscated. Then, using a handle (with the LoadLibraryA function), the library is called so that it is used only during the program’s runtime, thus bypassing the antivirus’s static analysis. To declare the functions of this library, the GetProcAddress function is used, and to call them, the reinterpret_cast function is used (after that, wherever these functions are used, they are called with this function).
As an additional measure to bypass antivirus dynamic analysis, the program can be launched after 60 seconds, as the antivirus usually checks the program’s operation for only a very short period.
Then I had to figure out how the victim could run this reverse shell program from my USB. So, I decided to use a shortcut that would look like a Windows folder but would actually call my program. To ensure the reverse shell doesn’t disappear every time the computer is turned off and on, I decided to create a Batch script that adds this program to the victim’s device AppData folder and then adds it to the Windows Registry so that it is launched every time the device is turned on.
A new problem arose – this batch script opened a CMD window for a few seconds, which might seem quite suspicious to the user. I solved this problem by using VBScript, which allows the script to run without the CMD window launching.
The USB drop task is completed! If you have any suggestions on how to improve this attack, feel free to leave a comment 🙂