Giters

Chomikmarkus / bash-malware-dropper

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Bash Malware Dropper

Overview

  • Designed as an initial dropper script to gain multiple foot holds into a target system.
  • Coupled with a bot that brute forces SSH credentials it can be a formidable way to persist on a target device.
  • All code in this project is my own.
  • Please use responsibly, this project was created for research purposes only, and to allow for better identification of malware infections. The author assumes no liability for the use or misuse of any and all code contained in this or other repositories.

Usage

  • git clone the repository
  • Host the dropper script on a VPS or other internet connected device with a static ip.
  • Have your bot call out to the hosting device and pull the dropper script down.
  • Execute with:
./shm.sh 2>/dev/null
  • Enjoy your foothold

Methods

  • Script checks to ensure that it is running as root, if not it deletes itself
  • Script ensures that the target device is a compatable Linux System, if not it deletes itself
  • Script checks that it is a systemd system, if not it deletes
  • After those checks are completed it will ensure netcat is on the target system
  • If it is, it will call out back to a VPS of your choosing, if not it will skip that step
  • It will then add a service unit called network.service located in /etc/systemd/system which will call out on device reboot, and upon the service unit being loaded immediately after file creation
  • It will then create two cron jobs one which serves as another call out method, and the second is the execution of the checker script that ensures the network.service file has not been deleted.
  • It then moves on to create a checker script called proc that is located in /dev/shm/.proc/proc that will check to ensure the service unit has been been deleted every 10 minutes. If it has been deleted it will copy the mirror image of the service file located at /dev/shm/.fstab/fstab back to /etc/systemd/system.
  • It will finally install a public ssh key in /root/.ssh/authorized_keys allowing for ssh key peristance.
  • Upon recieving a reverse shell, recommendation is to immediately capture the device ip address in order to utilize the ssh key method of persistance.
  • It will then delete itself off disk.

About

License:The Unlicense

Languages

Language:Shell 100.0%