This is a proof of concept malware that keylogs a target's keystrokes, logs them in an encoded form and exfiltrates them to a remote C&C server. The purpose of this was to help me learn more about creating malware and avoiding detection and analysis. The client is designed as a stand alone application and does not need any resources imported in. The server can control the clients by accessing the set domain and endpoint e.g. https://localhost/clients:8443.
The malware logs the keystrokes on the target computer
The malware can be commanded and controlled remotely from a C&C server
The malware beacons the C&C server while active
All data in transit is encrypted with TLS encryption. The certificates are generated by the user.
All the TLS certificates are embedded into the executable when built
Multiple persistence measures are taken to ensure the malware runs on startup and is hard to locate
The malware does not run if it is being run on a virtual machine or a debugger. It exits. (comment out when running on a VM)
create TLS certificates for the client and server and the CA using the following commands.
openssl req -x509 -newkey rsa:4096 -days 3650 -nodes -keyout ca.key -out ca.crt -subj "/CN=ca"
openssl req -newkey rsa:4096 -nodes -keyout server.key -out server.csr -subj "/CN=localhost"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256
openssl req -newkey rsa:4096 -nodes -keyout client.key -out client.csr -subj "/CN=client"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256
openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -certfile ca.crt //for firefox
Build the client application to an exe using go build -o client.exe client.go
start the server and client malware and go to the set domain, e.g. https://localhost/clients:8443
After running the malware on a target computer, go to the set domain.
Use the buttons to send commands to the client
- Sleep: Pauses the client for a specified time, keylogging and beaconing are halted and keylogs are exfiltrated and deleted
- Pwn: Sends a customized pwn message to the client
- Shutdown: Gracefully shuts down the client, halts all logs are exfiltrated and deleted
- Show Keylogs: Shows the exfiltrated logs on the site