Bash Malware Dropper

initial_access.sh

Overview

• Designed as an initial dropper script to gain multiple foot holds into a target system.
• Coupled with a bot that brute forces SSH credentials it can be a formidable way to persist on a target device.
• All code in this project is my own.
• Please use responsibly, this project was created for research purposes only, and to allow for better identification of malware infections. The author assumes no liability for the use or misuse of any and all code contained in this or other repositories.

Usage

• git clone the repository
• Host the dropper script on a VPS or other internet connected device with a static ip.
• Have your bot call out to the hosting device and pull the dropper script down.
• There are two methods to use this script
• -b will also beacon out to the ip of your choice for a reverse shell
• omitting -b will have full functionality without the beacon
• (for no beacon) Execute with:

./initial_access.sh 2>/dev/null

• (for a beacon) Execute with:

./initial_access.sh -b 2>/dev/null

• Enjoy your foothold

Methods

Pre-Execution Checks

- Script checks to ensure that it is running as root, if not it deletes itself
- Script ensures that the target device is a compatable Linux System, if not it deletes itself
- Script checks that it is a systemd system, if not it deletes

Cowrie Checks

- Script will run through various checks to ensure it is not running in a Cowrie honeypot
- If it is, it will delete itself

Internet Test

- Script will test to see if it has internet access

Execution

• After those checks are completed it will ensure netcat is on the target system
• If it is, it will call out back to a VPS of your choosing, if not it will skip that step
• It will then add a service unit called network.service located in /etc/systemd/system
• This will call out on device reboot, and upon the service unit being loaded immediately after file creation
• It will then create two cron jobs one which serves as another call out method
• The second is the execution of the checker script that ensures the network.service file has not been deleted.
• It then moves on to create a checker script called proc that is located in /dev/shm/.proc/proc
• This will check to ensure the service unit has been been deleted every 10 minutes.
• If it has been deleted it will copy the mirror image of the service file located at /dev/shm/.fstab/fstab back to /etc/systemd/system.
• It will finally install a public ssh key in /root/.ssh/authorized_keys allowing for ssh key peristance.
• It will then delete itself off disk.

Recommendations

• Upon recieving a reverse shell, recommendation is to immediately capture the device ip address in order to utilize the ssh key method of persistance.

implant.sh

• Add your C2 ip address to the file
• Add your own SSH public key
• Set up your nc listener on port 9001
• Execute the implant script on the target
• Recieve call back and enter help to see the range of commands
• Profit