Giters

xtr4nge / FruityDC

Dynamic Callbacks can be used for re-establishing communication with C2 infrastructure and for achieving persistence by using different methods incorporating communication with popular websites, domain fronting and multiple protocols.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

FruityDC

FruityDC project and Dynamic Callbacks methods will be released soon!
As part of the initial release, Dynamic Callbacks will be implemented on FruityC2 ps-stager and ps-agent.

Dynamic Callbacks

Maintaining persistence and communication between C2 infrastructure and compromised hosts is a fundamental element for successful red team campaigns. This is well understood by defenders, and so effort and time is invested by SOCs in improving their detection and blocking capabilities to reduce the time that persistence and communication can be maintained. But what if the communication and persistence can be re-established dynamically after it is blocked?

Dynamic Callbacks can be used for re-establishing communication with C2 infrastructure and for achieving persistence by using different methods incorporating communication with popular websites, domain fronting and multiple protocols.

Basic Flow

The idea is simple, store the content on a website that will be potentially reachable through the corporate proxy, such as Google, Youtube, Google Maps, or any other. For obtaining the content, we can use the following flow as an example:

  • A request is made from the compromised machine, searching for a HASH
  • The DC method (Hash+Site) returns the content (page source code)
  • The content is parsed (and decoded and/or decrypted)
  • The payload is patched with the new destination (ip/domain)
  • C2 communication is established with the new address
  • The initial HASH is replaced with the new HASH
  • The next search will used the new HASH

Note: This is the basic concept, and it can be implemented by many different ways.

Methods

The Methods are the places were the Dynamic Callbacks can be stored for the payloads to obtain them. The idea is to use common sites, that usually are are not blocked. There are some Methods that can be manipulated using API, therefore, the content can be changed from FruityDC directly.


Method API API_DC
Youtube * *
Google Sites *
Google Drive * *
Google Maps * *
Google Search
Github * *
DF Google
DF Amazon *
TXT * *

Dynamic Callbacks: Emails

The following is an example of how Dynamic Callbacks can be used during post-exploitation phase, abusing emails as a trigger.

Demo: Dynamic Callbacks Implementation - Email 1/2

  • A new folder is created (inbox/_MOVE).
  • A new rule is created on Outlook. (HideMe).
  • Send 1, sets the email with HASH on method GSearch.
  • An email is sent to the target.
  • Subject matches the rule and the email is moved to _MOVE.
  • Dynamic Callback methods are triggered.
  • Payload is patched with Dynamic Callback.
  • C2 communication is established (FruityDC simulation).


Demo: Dynamic Callbacks Implementation - Email 2/2

  • The folder _MOVE is hidden.
  • Send 3, sets the email with HASH on method Youtube.
  • An email is sent to the target.
  • Subject matches the rule and the email is moved to _MOVE.
  • Dynamic Callback methods are triggered.
  • Payload is patched with Dynamic Callback.
  • C2 communication is established (FruityDC simulation).


About

Dynamic Callbacks can be used for re-establishing communication with C2 infrastructure and for achieving persistence by using different methods incorporating communication with popular websites, domain fronting and multiple protocols.

License:GNU General Public License v3.0