Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/safebreach-labs/doubledrive

A fully-undetectable ransomware that utilizes OneDrive & Google Drive to encrypt target local files
https://github.com/safebreach-labs/doubledrive

Last synced: about 21 hours ago
JSON representation

A fully-undetectable ransomware that utilizes OneDrive & Google Drive to encrypt target local files

Host: GitHub
URL: https://github.com/safebreach-labs/doubledrive
Owner: SafeBreach-Labs
License: bsd-3-clause
Created: 2023-05-23T13:17:38.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2024-05-28T16:25:59.000Z (6 months ago)
Last Synced: 2024-11-08T10:13:33.598Z (8 days ago)
Language: Python
Homepage:
Size: 125 KB
Stars: 123
Watchers: 5
Forks: 14
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# DoubleDrive
A fully-undetectable ransomware that utilizes Cloud Drive Services to encrypt target files. Presented at Black Hat USA 2023 Briefing under the title - [**One Drive, Double Agent: Clouded OneDrive Turns Sides**](https://www.blackhat.com/us-23/briefings/schedule/index.html#one-drive-double-agent-clouded-onedrive-turns-sides-32695)

## DoubleDrive Python Package
(Tested only on python version 3.11.4)

Implements most of the logic and tools that a DoubleDrive variant needs. In order to create a DoubleDrive variant for a certain cloud storage service, the creator must create 2 different executables using this library's tools:
* An endpoint takeover executable, implements:
* Undetectable legitimate logic that syncs local target paths from the target computer to the cloud storage service using a built-in feature of the local cloud storage app
* Exfiltration of the stolen authentication information so the target local paths become accessible from the cloud storage service API
* A DoubleDrive ransomware executable, implements:
* Collection of the exfiltrated authentication information that was sent by the endpoint takeover executable
* Encryption of all target files by sending API requests to the cloud storage service

## Specific Cloud Storage Services Implementations of DoubleDrive:
### OneDrive
Go into ./onedrive_doubledrive for the specific OneDrive variant.
You can read how to use it here: [OneDrive DoubleDrive README](onedrive_doubledrive/README.md)

### Google Drive
Go into ./google_drive_doubledrive for the specific Google Drive variant.
You can read how to use it here: [Google Drive DoubleDrive README](google_drive_doubledrive/README.md)

## Author - Or Yair
* LinkedIn - [Or Yair](https://www.linkedin.com/in/or-yair/)
* Twitter - [@oryair1999](https://twitter.com/oryair1999)