Threat Management, Incident Response, Network Security, TDR

A stealthy Command and Control Python App That Uses Twitter

I enjoy following darknet.org.uk because they come up with some great proof of concept projects. Twittor is one of those.  You can find the details including download for the Python script here:

https://www.darknet.org.uk/2015/10/twittor-backdoor-using-twitter-for-command-control/

Let's just review briefly the purpose of a command and control (C2) host.  It has one primary application: manage a botnet.  The trick with C2 hosts, though, is to keep them hard to find by the good guys while allowing the bad guys to manage their botnets. What better way to hide a C2 than in plain site? Hiding on Twitter, Facebook, and other social media has become a way for the adversary to get the best of both worlds: herd his/her bots and hide out from threat hunters.

Twittor is a great proof of concept C2 that uses Twitter as its hiding place.  There are two pieces to this: implant.py – the backdoor – and twittor.py – the client side. There is an excellent readme file called README.md.  It's a markdown file so you'll need some sort of markdown editor to read it.  If you don't have one, I recommend – for Windows, anyway – MdNote.  It's free in the Microsoft app store. The developers have gone to a lot of trouble to document this tool thoroughly.

This is an amazingly flexible bot herder, given that it has a limited command vocabulary and is not intended to join the threatscape and play with the big dogs. After you play with it a bit you'll dream up some neat ways to use it, I'm sure. 

It has some inherent commands but you also can use your bots to retrieve a meterpreter session and the README.md file gives an excellent example of generating meterpreter shell code using msfvenom (this single tool replaces msfpayload and msfencode). You use the !shellcode command to interact with the bot and it works with Windows hosts. For more detail on msfvenom for new Metasploit users, see:

https://www.offensive-security.com/metasploit-unleashed/msfvenom/

If you stick to the few commands that come with Twittor you'll have:

  •  refresh - refresh C&C control
  •  list_bots - list active bots
  •  list_commands - list executed commands
  •  !retrieve <jobid> - retrieve jobid command
  •  !cmd <MAC ADDRESS> command - execute the command on the bot
  •  !shellcode <MAC ADDRESS> shellcode - load and execute shellcode in memory (Windows only)
  •  help - print this usage
  •  exit - exit the client

For those of you who are pretty good with Python, adding capability to Twittor should be a walk in the park.  The code is clever but pretty plain vanilla.

Your first task will be to register an app on Twitter.  That will generate some tokens that you will need to put into your application.  From that point on things get pretty straightforward. Everything you need is in the download package.

So, why would you want to do this?  Most of you are not going to deploy evil botnets, so why bother?  The fact is that deploying something such as this in your environment gives you the opportunity to see how your endpoints – and servers – will react to having a bot placed on them.  Mostly, we find that placing the bot is not too big a deal.  What is a big deal is using this tool to see what data it can exfiltrate from your enterprise.  The answer, of course, should be “none”.

On to the state of the threatscape for this week.  One of the recent happenings in the threatscape – since we're talking about bots in this posting – is the introduction of a fast flux (we'll talk about that in a future posting) reverse-proxy bot called Fluxer. Quoting from the actor's advertisement for Fluxer:

“After infecting the target box, the bot initializes a reverse-proxy server and connects to a control panel. The control panel then checks on operability of http-transport via the bot and decides whether to register it or send a self-removal command (i.e. in case the bot is behind a NAT or was unable to open a port). After that the bot is provided with a config file and it starts to operate as a frontend for your server.”

The actor is Russian, judging from the language of his posting in exploit.in. My sources rate this as confirmed by other sources.  The bot will be sold to a single buyer via an auction.  Look for this one coming fairly soon.

That wraps it for this posting.

So… until next time….

--Dr.S

If you use Flipboard, you can find my pages at https://tinyurl.com/FlipThreats. Here I flip the interesting threat-related stories of the day – nothing particularly technical, but interesting stories none-the-less.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.