Godzilla Loader

The application works without introducing code into other people’s processes, which in turn is a unique difference compared to other similar products on the market. By creating a non-visible copy of the browser for the user, Godzilla Loader does all the work with the network in the context of a trusted browser process without introducing its code. The application saves to disk and launches all downloaded files, after which it is deleted.
The control panel allows you to distribute tasks and keep statistics in real time by indentation, geographical coordinates(on the map), countries, operating systems, OS architecture, time and quantity.

*The Godzilla Loader control panel backend is written in PHP and MySQL, the frontend is on Twitter Bootstrap, jQuery, and RaphaelJS.

Minimum system requirements for a botnet in 20-30K:

• Linux VDS, 512 GB RAM, 1 Core
• PHP version 5 and above
• MySQL version 5 and higher
• The PHP OpenSSL extension
• Task Manager

How it works:

General information

Godzilla Loader is written in MSVisual C ++ 2010, without the use of ATL / MFC and third-party libraries. The lines are encrypted and generated dynamically, at runtime.
The PE file contains two sections, a code section, and an import section. It has normal entropy, does not contain TLS-coils, relocations. Has no protection from reverse, virtualization.

Downloading files The files are

downloaded on the IWebBrowser COM interface. After startup, it creates a window with the size 0x0 pixels (not visible to the user) to which it “attaches” the IWebBrowser interface in the context of the local server. In the future, work with the network, goes to the trusted process dllhost.exe with the digital signature of Microsoft. Such a simple trick, allows you to bypass the protection system and at the same time remain legitimate for most types of AV protection. This is not a bug, but the provided feature of the Windows operating system.

Running EXE / DLL

Running exe programs is done using the IShellDispatch COM interface, in the context of the local server, from the trusted process dllhost.exe. EXE runs in this case with the rights of the current user. To run with administrator rights, see bypassing UAC.
DLLs start in the loader process memory, without saving the local copy to disk.

AutoPlay 

AutoPlay in Godzilla is made without using the registry, dll reset to itp disk. First of all, a shortcut is created in the autorun folder (CSIDL_STARTUP) on the file that does not exist yet. The COM interface of IPersistFile is used in the context of the local server, as well as when downloading files – on behalf of the trusted process dllhost.exe. Thus, even if the antivirus has a desire to verify that it is located along the path indicated in the startup shortcut, there will still be nothing. The media file, in a random period of time, is stored in the Program Files if there are enough rights, if not enough, in the current user’s directory. Running and checking for new tasks occurs once after the system restart. 

Privilege enhancement / Bypassing UAC 

Bypassing UAC is done without flushing files to disk, without introducing code into other processes. The technique of registry hijacking is used, the value in HKEY_CURRENT_USER is substituted.
Run “Event Viewer” (eventvwr.exe, digitally signed by Microsoft), start the desired exe and clear the changes you made to the HKCU.
The workaround is checked and works on Windows 7-10, x32-x64.
The user must be a member of the local administrator’s group.

Support for * .bit domains
First of all, I was able to run nslookup (a standard utility in Windows, have an AV trust and a certificate from Microsoft) from the trusted process dllhost.exe, using IShellDispatch to distract attention, gets a list of IP addresses referenced by * .bit domain. BIT-DNS servers are sewn into the bot. If none of the BIT-DNS servers wired into the bot is available, then the list of public BIT-DNS servers is retrieved using IWebBrowser in the context of the local server to bypass the AV protection.
After obtaining the IP-address, which hosts the C & C server, it can perform all requests directly through the IP address.