Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ice-wzl/bash-malware-dropper
Malware written in bash to serve as an initial dropper script that will provide a strong foothold on the target device via reverse shells and persistence techniques, can be set to run via user interaction or coupled with a bot.
https://github.com/ice-wzl/bash-malware-dropper
bash bash-script bot-net centos cowrie cowrie-honeypot cowrie-ssh debian linux malware malware-dropper persistence red-hat red-team reverse-shell reverse-shells ssh systemd
Last synced: 13 days ago
JSON representation
Malware written in bash to serve as an initial dropper script that will provide a strong foothold on the target device via reverse shells and persistence techniques, can be set to run via user interaction or coupled with a bot.
- Host: GitHub
- URL: https://github.com/ice-wzl/bash-malware-dropper
- Owner: ice-wzl
- License: unlicense
- Created: 2021-10-23T19:56:57.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2023-09-18T01:14:34.000Z (over 1 year ago)
- Last Synced: 2023-12-13T04:37:30.732Z (about 1 year ago)
- Topics: bash, bash-script, bot-net, centos, cowrie, cowrie-honeypot, cowrie-ssh, debian, linux, malware, malware-dropper, persistence, red-hat, red-team, reverse-shell, reverse-shells, ssh, systemd
- Language: Shell
- Homepage:
- Size: 443 KB
- Stars: 13
- Watchers: 3
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Bash Malware Dropper
## initial_access.sh
## Overview
- Designed as an initial dropper script to gain multiple foot holds into a target system.
- Coupled with a bot that brute forces SSH credentials it can be a formidable way to persist on a target device.
- All code in this project is my own.
- Please use responsibly, this project was created for research purposes only, and to allow for better identification of malware infections. The author assumes no liability for the use or misuse of any and all code contained in this or other repositories.
## Usage
- git clone the repository
- Host the dropper script on a VPS or other internet connected device with a static ip.
- Have your bot call out to the hosting device and pull the dropper script down.
- There are two methods to use this script
- `-b` will also beacon out to the ip of your choice for a reverse shell
- omitting `-b` will have full functionality without the beacon
- (for no beacon) Execute with:
````
./initial_access.sh 2>/dev/null
````
- (for a beacon) Execute with:
````
./initial_access.sh -b 2>/dev/null
````
- Enjoy your foothold
## Methods
### Pre-Execution Checks
````
- Script checks to ensure that it is running as root, if not it deletes itself
- Script ensures that the target device is a compatable Linux System, if not it deletes itself
- Script checks that it is a systemd system, if not it deletes
````
### Cowrie Checks
````
- Script will run through various checks to ensure it is not running in a Cowrie honeypot
- If it is, it will delete itself
````
### Internet Test
````
- Script will test to see if it has internet access
````
### Execution- After those checks are completed it will ensure netcat is on the target system
- If it is, it will call out back to a VPS of your choosing, if not it will skip that step
- It will then add a service unit called `network.service` located in `/etc/systemd/system`
- This will call out on device reboot, and upon the service unit being loaded immediately after file creation
- It will then create two cron jobs one which serves as another call out method
- The second is the execution of the checker script that ensures the `network.service` file has not been deleted.
- It then moves on to create a checker script called `proc` that is located in `/dev/shm/.proc/proc`
- This will check to ensure the service unit has been been deleted every 10 minutes.
- If it has been deleted it will copy the mirror image of the service file located at `/dev/shm/.fstab/fstab` back to `/etc/systemd/system`.
- It will finally install a public ssh key in `/root/.ssh/authorized_keys` allowing for ssh key peristance.
- It will then delete itself off disk.### Recommendations
- Upon recieving a reverse shell, recommendation is to immediately capture the device ip address in order to utilize the `ssh key` method of persistance.
## implant.sh
- Add your C2 ip address to the file
- Add your own SSH public key
- Set up your nc listener on port 9001
- Execute the implant script on the target
- Recieve call back and enter help to see the range of commands
- Profit