Track 4 03 Protect Your Payloads Modern Keying Techniques Leo Loobeek

Gather a collection of file paths and environment variables that should identify a system to be within the target population.

Concatenate them.

Hash the concatenated string.

Use the 1st 32 characters (for AES) of the hash as your encryption key.

Create functions to retrieve the key data on a target. You might go through several (or all possible) variations of this so it can obfuscate the real key even further and even add fake values (like time, or DNS addresses of random stuff).

KeyServer by Leo Loobeek automates serving DNS and HTTP keys and can disable serving after they have been accessed a specific number of times.

Look at https://twitter.com/c0d3inj3cT for specific examples of how malware actors are currently doing this

https://github.com/Octoberfest7/BeatRev

The first time the malware runs on a victim it AES encrypts the actual payload(an RDLL) using environmental data from that victim. Each subsequent time the malware is ran it gathers that same environmental info, AES decrypts the payload stored as a byte array within the malware, and runs it. If it fails to decrypt/the payload fails to run, the malware deletes itself. Protection against reverse engineers and malware analysts.