Introducing FalconZero v1.0 - a stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) from Github to the host machine undetected - first public release version Loader/Dropper of the FALCONSTRIKE project

• Dynamic shellcode execution
• Usage of Github as the payload storage area - the payload is fetched from Github - using legitimate sites for implant communication to make it stealthier
• Targeted implant Loader - only execute on targeted assets - thwart automated malware analysis and hinder reverse engineering efforts on non-targeted assets
• Killdates - implant expires after a specific date
• Stealthy shellcode injection technique without allocating RWX memory pages in victim process to evade AV/EDRs - Process hollowing - currently spawns and injects to explorer.exe
• Sensitive strings encrypted using XOR

• Metasploit
• Covenant C2
• Cobalt Strike
• SILENTTRINITY
• Faction C2
• Throwback

And support for many more...

The ones mentioned in the list are the ones verified by the testing team.

There are many hard things in life but generating an implant shouldn't be one. This is the reason the generate_implant.py script has been created to make your life a breeze. The process is as simple as:

First generate your shellcode as a hex string
Upload it on Github and copy the Github raw URL
For testing(MessageBox shellcode): https://raw.githubusercontent.com/slaeryan/DigitalOceanTest/master/messagebox_shellcode_hex_32.txt
git clone https://github.com/slaeryan/FALCONSTRIKE.git
cd FALCONSTRIKE
pip3 install -r requirements.txt
python3 generate_implant.py

Follow the on-screen instructions and you'll find the output in bin directory if everything goes well.

This is an alpha release version and depending on the response many more upgrades to existing functionalities are coming soon.

Some of them are:

• Integrate various Sandbox detection algorithms
• Integrate support for more stealthy shellcode injection techniques
• Integrate function obfuscation to make it stealthier
• Include a network component to callback to a C2 when a Stage-2 payload is released or to change targets/payloads and configure other options on-the-fly
• Inject to a remote process from where network activity is not unusual for fetching the shellcode - better OPSEC
• Include active hours functionality - Loader becomes active during a specified period of day etc.

Feel free to communicate any further feature that you want to see in the next release. Suggestions for improving existing features are also warmly welcome :)

Upayan (@slaeryan) [slaeryan.github.io]

All the code included in this project is licensed under the terms of the GNU GPLv3 license.