Using Multi-Phase Attacks

How to use a multi-phase attack when secretly and remotely installing a key logger or other spy program on a target computer.

Lets say you have a long list of targets that you want to attack/hack. redpill Hacker allows you to import the list of targets and then you can quickly and easily send an email with a payload to all the targets with the click of a button. However, simply emailing your payload (that secretly installs a key logger or other spy program) to a list of targets is a bad idea for the following reasons:

  • They might run the payload on the wrong device (Android phone, tablet or Apple device). You want them to run it on their Windows Computer.
  • It will drastically increase the Anti-Virus exposure of your payload. Too much exposure of your payloads can lead to your edition of redpill Hacker creating payloads that can easily be detected by Anit-Virus. Your edition will then be 'burnt' and then you will require a rebuild.
  • The lack of good social engineering will cause most targets to be suspicious and they will most likely not run the payload.

The Multi-Phase Attack

In a multi-phase attack you break up your 'attack' in phases. In the first phase you only establish contact. You email all your targets (using a 'social engineering only' template in redpill Hacker). From the replies you get you will be able to determine what targets will fall for your con and who will run your payload.

During the second phase you have already established contact so there is now a sense of familiarity that will cause a the targets to be less suspicious. They will also expect your second email so you can prepare them to open the email attachment (payload) on the correct device (Windows PC) and you can explain that they need to allow the payload to run.

You also only send your payloads out to targets where the installation will most likely succeed. So there are no unnecessary exposure to your payloads.

Example of a Multi-Phase Attack

An example of a multi-phase attack is the 'Bitcoin Mining - Phase 1' and 'Bitcoin Mining - Phase 2' (both versions) templates in redpill Hacker.

The con is simple. There is a new bitcoin mining app that more quickly generate bitcoin fees. It is an easy way to make money. The app can run on any windows computer and no special hardware is required. All you need to do is run the app on your PC in the background and it will generate bitcoins from mining fees for you. The app however will only be free for the users that are willing to test the BETA version of the application.

The fist template (Bitcoin Mining - Phase 1 )is a 'social engineering template'. Used to only establish contact and get feedback from targets that would want to run the app. For this example we will just use the default template as shown below.

social engineering template

For the first phase, all you need to do is select 'Social Engineering Only' from the Attack Menu in redpill Hacker.

social engineering attack

When you select 'Attack All', all the targets in your list will receive the personalized email telling them about the bitcoin mining app (our con). As you get feedback from targets, you change their status to 'Attack Stage 2'.

Multiple Targets

For the second phase we will use the 'Bitcoin Mining - Phase 2 (Attached)' template as shown below. You can use the default template or make some changes if you want.

Convincing a target to run a payload

The second template (Phase 2) will be used by redpill Hacker to generate the payload itself (QuickMoney Bitcoin Miner) as well as emailing the payload to the selected targets.

To do the attack, in redpill Hacker select 'Attack' > 'Social Engineering Email with Payload'. Then select the 'Bitcoin Mining - Phase 2 (Attached)' template.

emailing payload

You then filter your targets by 'Attack Stage 2' (those who shown interest).

They will be expecting the second email and there will already be a level of trust. The template explains that they need to run it on a Windows computer and even explain that the application is in BETA version and therefor not yet known by Anti-Virus as a legitimate and safe application.

Your success rate is greatly increased as you have created a level of trust with the targets due to multiple emails and you ensured the application will be run on a Windows computer. You also avoided unnecessary exposure of your payload.