cove@home:~#

Malware Development

My Introduction to Malware Development

Before I start I want to say that I do not intend to use this program for any illegal purposes and do not condone that behavior

Recently I have been very interested in developing my own tools for red teaming and penetration testing, this has lead me down the path of researching Windows based malware and trying to create my own enumeration for Active Directory. I was starting to get overwhelmed by this and decided I would go back to what I know best, Linux. I also have been interested in learning Golang so it seems that the planets aligned and that is how this project was born. So what exactly did I make? Well it started with me coming up with ideas that was starting to feel very similar to a C2 server using discord. When I realized the astronomically large task this would be I decided to do something a lot simpler, persistence to make sure a beacon is always installed. This idea was given to me recently during a career fair with a professional red teamer who has done red teaming for CCDC and said that this was very annoying for the blue team to deal with. As it works out, my school is hosting an RvB event for students to learn blue teaming where I am a part of the red team due to being on the CPTC team. Having next to no previous coding experience made this a tall task and big shout out to my friend Alex who helped me a lot because of his experience making a ransomware using Golang.

The Idea

So the basic idea of this “malware” (I’m not sure if it can directly be called malware) was to check constantly for a file and if it no longer exists will send a notification via a Discord webhook to notify us that a Blue Teamer was trying to remove a beacon and then simply redownload the beacon. Sounds simple enough and this would help us a lot on the upcoming engagement.

screenshot_1

The Execution

Like I had said before I have very little experience with coding so that definitely was the hardest part for me. I understood what needed to be done and the basic logic behind it, but actually coding it was a different story. First off, Golang is amazing. I won’t go into too much detail but overall using it was a great experience.

Without straight giving out the source code I will give a breakdown of the structure of the program:

Part 1: Getting information about the host

For this I simply just have functions to get the IP address of the system and hostname. These are very simple and examples can be found with a simple google search. One challenge however is getting the correct IP to show and to ensure that you don’t get a loopback address. In terms of Hostname it is very simple and just returns a string as long as there is a valid hostname. Both of these were not hard at all to add, but are very important so we know which beacons are being attacked.

Part 2: Using Discord webhooks

Wow. This part was a struggle to get it to a point where I liked how it looked. It started with just sending a simple message and then I got a great idea that led me down a rabbit hole for the next few hours. I wanted to make it look pretty by using a discord embed. Now the great thing about these is that they use simple JSON syntax that looks like:

{
  "content": null,
  "embeds": [
    {
      "title": "What's this?",
      "description": "This is an embed",
      "color": 16711935,
      "fields": [
        {
          "name": "blah",
          "value": "blah"
        }
      ],
      "author": {
        "name": "Persistence Chcker"
      }
    }
  ]
}

I will save the explanation of the struggles I had with this in the challenges section, but just know I was making this a lot harder on myself than it had to be.

Step 3: Check for file and Downloading a new file

These steps are also very logically simple, but the execution of them was a challenge once again to me not being familiar with Go. It was really simple for me to look up how to do this however and it works exactly how I want it to work.

Step 4: Running the file

Starting off I was passing variables through the command line and had the url for the Discord webhook hard coded. This was fine at first for testing, but I soon realized how easy this would be for a Blue Teamer to catch due to it showing both the target location of the beacon as well as the download location for a new beacon. When I realized this I switched to using scanners to prompt the user for input:

Using ps aux this looks very nonsuspicious without looking at it fully:

With the top process being a legitimate polkit process and the bottom being malicious. I know that this isn’t perfect in terms of being fully persistent, but it was something I came up with just now to show.

The Challenges

I have a saying that I like to reference whenever I am going through a hard time; “Without struggle, there is no gain” which is a modification on a Frederick Douglas quote “If there is no struggle, there is no progress”. This project for sure did make me struggle, like I alluded to earlier. The main struggle was getting the Discord webhook to work with the embed, and realizing that there is already a Go library for this. I spent a very long time trying to figure out how to iterate properly over JSON objects. This ended up being a waste of time, but I was able to find a good resource for building Go structs from JSON objects: https://mholt.github.io/json-to-go/. Even though this didn’t lead to anything I am sure I will be back there for a later project.

In conclusion and what’s next?

Overall this project was a lot of fun and I was able to learn a lot about coding which is something I don’t have too much experience with. This has also given me a want to make more complex projects and I already have something in mind so look out for that.

Once again special thanks to Alex for helping give me the inspiration to tackle this and the technical help!