FruityDC
FruityDC project and Dynamic Callbacks methods will be released soon!
As part of the initial release, Dynamic Callbacks will be implemented on FruityC2 ps-stager and ps-agent.
Dynamic Callbacks
Maintaining persistence and communication between C2 infrastructure and compromised hosts is a fundamental element for successful red team campaigns. This is well understood by defenders, and so effort and time is invested by SOCs in improving their detection and blocking capabilities to reduce the time that persistence and communication can be maintained. But what if the communication and persistence can be re-established dynamically after it is blocked?
Dynamic Callbacks can be used for re-establishing communication with C2 infrastructure and for achieving persistence by using different methods incorporating communication with popular websites, domain fronting and multiple protocols.
Basic Flow
The idea is simple, store the content on a website that will be potentially reachable through the corporate proxy, such as Google, Youtube, Google Maps, or any other. For obtaining the content, we can use the following flow as an example:
- A request is made from the compromised machine, searching for a HASH
- The DC method (Hash+Site) returns the content (page source code)
- The content is parsed (and decoded and/or decrypted)
- The payload is patched with the new destination (ip/domain)
- C2 communication is established with the new address
- The initial HASH is replaced with the new HASH
- The next search will used the new HASH
Note: This is the basic concept, and it can be implemented by many different ways.
Methods
The Methods are the places were the Dynamic Callbacks can be stored for the payloads to obtain them. The idea is to use common sites, that usually are are not blocked. There are some Methods that can be manipulated using API, therefore, the content can be changed from FruityDC directly.
Method | API | API_DC |
Youtube | * | * |
Google Sites | * | |
Google Drive | * | * |
Google Maps | * | * |
Google Search | ||
Github | * | * |
DF Google | ||
DF Amazon | * | |
TXT | * | * |
Dynamic Callbacks: Emails
The following is an example of how Dynamic Callbacks can be used during post-exploitation phase, abusing emails as a trigger.
Demo: Dynamic Callbacks Implementation - Email 1/2
- A new folder is created (inbox/_MOVE).
- A new rule is created on Outlook. (HideMe).
- Send 1, sets the email with HASH on method GSearch.
- An email is sent to the target.
- Subject matches the rule and the email is moved to _MOVE.
- Dynamic Callback methods are triggered.
- Payload is patched with Dynamic Callback.
- C2 communication is established (FruityDC simulation).
Demo: Dynamic Callbacks Implementation - Email 2/2
- The folder _MOVE is hidden.
- Send 3, sets the email with HASH on method Youtube.
- An email is sent to the target.
- Subject matches the rule and the email is moved to _MOVE.
- Dynamic Callback methods are triggered.
- Payload is patched with Dynamic Callback.
- C2 communication is established (FruityDC simulation).