Hey Offsec mates,
So I was reading the report by FireEye on the Russian state-sponsored cyber operator team - APT 29 and their malware named HAMMERTOSS tDiscoverer.
What it did was generate seemingly “random” Twitter handles periodically and use commands embedded in a tweeted image from that handle for C&C.
Basically, their motto is to mimic human behaviour so as not to get caught by next-gen network security solutions.
Naturally, it caught my eye due to the unconventional C2 channel used by them.
I mean sure we have seen social media being used as C2 in real-life by APTs such as the Indian Patchwork team etc but we don’t really see it often do we?
I decided to create a quick prototype in Python 3 demonstrating the implant’s capabilities and also added some extra features. Now, originally I intended to make a C2 framework much like Empire, Faction, Sliver, Covenant etc as I thought it’d be a cool addition to a Red Team operator’s arsenal but I got caught up in some other work so the project never progressed further and development halted.
Full disclosure: The code is messy as hell since I didn’t get time to clean it up but it works. It’s stupid perhaps but it works as intended as of yet.
I’m posting the link to the Github repository in case someday someone might find it useful and create a production C2 framework based on it.
Here’s the link: https://github.com/slaeryan/LARRYCHATTER
Oh and P.S. - Did you know the cute bird of Twitter is named Larry? Chatter of course means communication. Ergo, I thought it’d be appropriate to name the project LARRYCHATTER.
Hope you guys find it useful, cheers!