How the Russian Abused Twitter as C&C in Hammertoss Malware? Python Answers
Hello fellows, this is my first time I post an article on nullbyte so I hope you like it :)
Today, we will replicate a technique which has been used by recent, sophisticated and hard to trace a Russian malware called Hammertoss, the creators of this malware has abused multiple well known sites like Twitter and Github to defeat modern firewalls and torture whoever tracing their tracks.
In a nutshell, instead of getting a direct reverse connection back to the C&C server similar to what traditional malware does, this smart malware will jump between third party servers to perform its malicious activity, please take two minutes and watch this short explanatory video from Fireeye so you will get a quick overview how the malware works.
All right, so the first stage of Hammertoss was to connect to a Twitter looking for a tweet created by the hackers which contains a URL for an image and hashtag as a part for encryption key. Technically speaking, you don't need to login into Twitter to parse someone's tweet, so in this case, we just need to figure out the account URL to navigate and the HTML tags which contains the actual tweet, Keep in mind you can add other twitter accounts to hide the original one (which belongs to the hacker).
Obviously you should never your personal account while doing similar stuff, that's why I created a new account holding my name and here's is the link for my twitter home page
Now from my Kali machine, I made a tweet saying "Hello from kali python" then I logged out, at this point once we click on the above URL, we should see something similar to this output
Now using your browser you can view the HTML source code of this page, in Chrome just do a right click anywhere in the page and select "View page source" or Ctrl+U for short, in the HTML if we search for our tweet, we will get the below HTML line:-
<meta name="description" content="The latest Tweets from Hussam Khrais (@HussamKhrais): "Hello from kali python"">
So technically if we code a simple script that will navigate to https://twitter.com/HussamKhrais
And retrieve the HTML page, then inside the HTML if we search for meta tag called name that has a value of description and asked for the value of content, then we should be able to grab our tweet.
Let's translate this action to a code:-
1# Import soupy function from BeautifulSoup library, we will use this function to search for the html tags
2# Import urllib which will be used to navigate to our twitter page and grab the html for us
3# Navigate to my twitter home page HussamKhrais, store the HTML page into html variable
4# Pass it to soupy function so we can parse it
5# Here we search for the HTML meta tags
6# Print the result out
The output for running the script would be
At this point, since we are only interested in having the string between the quotation marks, we can filter it out using regular expression, and that exactly what the below script will do for us
the findall function will grab the string between the " " and store it in a list data type called filter, finally we print the exact tweet.
After putting all the script pieces together, we got the below result
Please feel free to
download the script and give it a try on your own tweet!
Now think about it for a second, can we use twitter to replace DDNS? Well, what will happen if we replace "Hello from kali python" with the attacker public IP, and each time the attacker IP changes, all what he needs to do is to send a tweet with the new IP to get the reverse connection for his victim!
A question for you…
After reading this article, do you think that can you code in Python a complete AV free remote shell and exfiltrate data without even having a single direct connection with your target? Please share your thoughts.