Glacier is an open source, POC malware with a custom C2 infrastructure.
DO NOT use this project for purposes other than legitimate red teaming/pentesting jobs, or research. DO NOT use this for illegal activity of any kind, and know that this project is intended for research and learning purposes.
I wanted to get a better understanding of basic malware development techniques such as, obfuscation, persistence, and data exfiltration. I also wanted to get a basic understanding of how C2 servers are structured, hence the custom C2. Any suggestions on improvements or future projects are greatly appreciated!
The agent was built using Visual Studio 2022 as a desktop application without a console window. The agent can also be easily modified to run as a console application.
The C2 server uses python3 and requires a mongodb instance to be running in the background. Other dependecies include: pymongo, flask, and shutil.
The C2 flask server is hosted on localhost:5000 by default and also assumes that the mongo database instance is hosted at mongodb://127.0.0.1:27017. All of these default settings can be easily changed at the start of main.py. It may also help to view the C2Server class when changing these default settings.
- communicates via HTTP using a custom symmetric encryption for obfuscation
- navigate the a victim's file system using a custom dir implementation
- view file contents
- download files from infected windows device
- upload files to infected windows device
- execute files on infected windows device
- download saved network names/security information, including passwords
- suspicious functions for editing the registry and executing malicious files are hidden from the IAT by dynamically resolving the function addresses at runtime
- suspicious strings are obfuscated at compile time and decrypted at runtime
- basic hardware checks on processor count and RAM are used to detect if the agent may be running in a sanbox/VM
Each agent receives a random, 12 character name when registering with the C2 server. A key is then derived from the name and used to encrypt all communications between the C2 and agent. This ensures that no one, hardcoded key existes within all agents.
The malware is simply added as a run key in HKCU.
If the malware is run with elevated privleges, it uses a much more stealthy persistence mechanism which does not show up in autoruns.exe. I got this mechanism from this blog by ODDVAR MOE. Essentially, the agent can run when a selected exe exits. The current agent attaches itself to the following executables and will run when they exit:
- Notepad.exe
- OneDrive.exe
- winword.exe
I chose these executables because they are on nearly all windows devices and are opened and closed frequently.
The agent also adds itself to the HKLM run key if the writeToRun variable is set to true when the agent is compiled.
The C2 server uses Flask to host an http server for sending tasks to registered agents. The following are valid routes that registered agents can POST data to and GET data from:
/reg[POST] Agent registration with the C2. The C2 responds with the agent's generated name./payloads/<agentName>[GET] Agent gets its current task./payloads/<agentName>/results[POST] Agent sends the results of its previous task to this route./<agentName>/getfile[GET] The agent downloads files specified by the task from this route.
Navigate to main.py in the C2-Server directory and run it. I reccomend opening two console windows, one for running and watching server results, the other for managing agent tasks.
Start the server with the start-server command. Adding -h will provide a help page for each command. This is the general help page for the C2 server:
usage: main.py [-h]
{start-server,toggle-agent,delete-all-agents,delete-agent,change-time,view-agents,dir,download-file,upload-file,execute-file,payload,cat,get-exe-dir,get-net-names,get-net-password,get-all-net-passwords}
...
positional arguments:
{start-server,toggle-agent,delete-all-agents,delete-agent,change-time,view-agents,dir,download-file,upload-file,execute-file,payload,cat,get-exe-dir,get-net-names,get-net-password,get-all-net-passwords}
toggle-agent Toggle agent to use
delete-all-agents deletes all agents from the file and databse system
delete-agent deletes an agent along with all files associated with it
change-time Changes the time between an agent's beaconing
view-agents Displays all registered agents
dir performs a custom implementation of dir on the agent
download-file download file from agent
upload-file Uploads a file to the agent
execute-file Executes a file on agent
payload Runs shellcode payload specified by local_filepath on agent
get-exe-dir Gets directory of agent on agent
get-net-names Gets a list of saved network names on toggled agents
get-net-password Gets security info of an agent's wifi network
get-all-net-passwords
Gets all saved network security info
optional arguments:
-h, --help show this help message and exit
These tasks' filepath arguments must be enclosed in double quotes.
Example:
dir "C:\Program Files\"
This task gets the security info and passwords of a saved network. All saved network names can be retrieved from a victim machine using the get-net-names task.
The network name must be enclosed in double quotes.
Example:
get-net-password "TP_Link223"
the toggle-agent command can be used to toggle and agent so all further tasks will be assigned to it.
Example:
toggle-agent HRiHha114500
All registered agents can be viewed using the view-agents command. The output may look like the following:
--- mAdtkV996491 ---
hostname: NONE
address: 127.0.0.1
unused
--- WRzQOR466387 ---
hostname: DESKTOP-5LIWS
address: 127.0.0.1
in-use