Silent Tor Server: A Fresh Approach to Malware Exfiltration and Command & ControlDate: July 23, 2024 The IdeaIt all started with a simple idea about four months ago, during a night study session. Rather than relying on traditional methods of controlling malware through centralized servers, I had a idea - why not use the victim's own device? The ConceptImagine this: instead of the typical Command and Control (C2) infrastructure, where we maintain control through our servers, the victim's device becomes our server. I couldnt set up Port Forwarding, it required manual configuration by the victim. Resurfacing the IdeaHowever I found a solution why not utilize a service like ngrok so i can avoid portforwarding all together? Yet, I was not sure. Reprogramming ngrok is a hard task,I don't have time and the balls to code ngrok again. The BreakthroughThen I had an idea - Tor. Tor not only offers enhanced privacy but also simplifies the process. By turning the victim's device into a server, our activities appear less malicious and avoid triggering antivirus software. ImplementationAfter the POC malware is launched it installs tor and gets a new onion url.On that onion url it hosts its filesystem.The onion site is also protected with a random generated password. Photo: Directory listing Enhancements to my script included developing an API to secure onion URLs with straightforward authentication. When executed, the malware generates a unique onion address and password, which are then securely transmitted to my API. Photo: SimpleAuth Command and ControlCentral to this approach is a custom-built Go script hosting a backend /exec endpoint. This endpoint enables direct command execution on the victim's device through its onion address. For instance, commands such as example.onion/exec?cmd=whoami can be executed seamlessly. Essentially, it mimics setting up a server intentionally vulnerable to remote code execution (RCE) - a deliberate disguise to evade antivirus detection. Photo: Command and control other ideasThis malware opens unlimited possibilities. You can code it to stream the victim's screen over Tor. You can add functions to compress and upload files. It can be used as a dropper for ransomware or crypto miners. You could create a simple script to detect new onions on the list and steal passwords with a GET request, for example: Hostname.onion/users/admin/path/to/browser/logins.json All this with 0 detects Support UsIf you find our content valuable and wish to support our work, consider donating Monero to our wallet: Monero Wallet Address: 43patopwSHm414em8xzTScaBm5zVme7Z4V4ZASh9hkkWg7513GJcsuY54ejnCYDi9a8tQryLpcqWqB26Apc3dum2VdR39iC Onion address: PATOPW5vqsru3tygsurkp525h5vhrbeza26nlbqm2jb6btptffvz7nid.onion Link too POC github.com/patopw/open-directory-malware © 2024 pato.pw. All rights reserved. |