Giters

S12cybersecurity / ShadowByte-Botnet

Complete Botnet Infrastucture with Malicious C&C Server And Malware Agents to infect Windows OS

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ShadowByte Botnet

Complete Botnet Infrastucture with Malicious C&C Server And Malware Agents to infect Windows OS

A completely botnet infrastructure created with C++ in victim side and Web Languages (HTML,CSS,JavaScript and PHP) in malicious server in attacker side.

The architecture of Shadow Byte is truly remarkable, combining the robustness of C++ for the victim-side code with the flexibility and interactivity of web languages such as HTML, CSS, JavaScript, and PHP on the attacker's server. This lethal combination allows for seamless communication between the infected machines and the centralized command and control server.

Server C&C

Pages

The C&C server only have 2 pages, the Login page and the home page with the list of all the zombies.

Home Page:

image

This is the home page, this page have various features, first of all show the SQLite database entries, this represents all the zombies in the botnet. Other feature of the home page it's the possibility to execute a command in all the zombies inserted in the database.

The last feature of the page its the possibility to logout from your actually user.

Login Page

image

This login its very simple, like the name, its a login connected with the SQLite Database.

And now we see in action the agent malware code, this part of botnet infrastructure represents the binary executed in victim system.

Basically the malware code its composted by 2 binary files, one in the victim system and the other hosted into the malicious C&C Server.

The binary stored and executed as administrator in victim machine send a http petition to add this machine in the zombies server list, then download the other binary file, this downloaded binary file it's a Windows Services executable, and the next step of binary executed in victim machine it's create a persistent service with the binary downloaded and then the first binary he finish her function and you can delete it.

Once this moment you don't need to do or execute anything more in victim machine, now you have completely remote code execution into victim machine.

Let's show you the use with screenshots:

First i start my apache service to host the C&C Server.

image

I log in:

image

image

Let's execute the malware binary:

image

image

Run as administrator, and now i check if i have the service called zombie created:

image

And when i restart the Windows OS, the service are started:

image

Now in the Server C&C i can execute a command:

image

And i click send:

image

The file its created and this is his content:

image

About

Complete Botnet Infrastucture with Malicious C&C Server And Malware Agents to infect Windows OS

Languages

Language:C++ 41.8%Language:PHP 34.3%Language:CSS 13.1%Language:HTML 5.5%Language:JavaScript 5.3%