Skip to content

watsittoye/CC-malware

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
README.md
README.md
 
 
client.go
client.go
 
 
server.go
server.go
 
 
server.html
server.html
 
 

Repository files navigation

Go C&C Keylogging Malware

Description

This is a proof of concept malware that keylogs a target's keystrokes, logs them in an encoded form and exfiltrates them to a remote C&C server. The purpose of this was to help me learn more about creating malware and avoiding detection and analysis. The client is designed as a stand alone application and does not need any resources imported in. The server can control the clients by accessing the set domain and endpoint e.g. https://localhost/clients:8443.

Key Features

Keylogging

The malware logs the keystrokes on the target computer

C&C

The malware can be commanded and controlled remotely from a C&C server

Beaconing

The malware beacons the C&C server while active

TLS Encryption

All data in transit is encrypted with TLS encryption. The certificates are generated by the user.

Embedded Certs

All the TLS certificates are embedded into the executable when built

Persistence

Multiple persistence measures are taken to ensure the malware runs on startup and is hard to locate

Anti-Malware Analysis

The malware does not run if it is being run on a virtual machine or a debugger. It exits. (comment out when running on a VM)

Setup

create TLS certificates for the client and server and the CA using the following commands.

openssl req -x509 -newkey rsa:4096 -days 3650 -nodes -keyout ca.key -out ca.crt -subj "/CN=ca"

openssl req -newkey rsa:4096 -nodes -keyout server.key -out server.csr -subj "/CN=localhost"

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 
openssl req -newkey rsa:4096 -nodes -keyout client.key -out client.csr -subj "/CN=client"

openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256

openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -certfile ca.crt //for firefox

Build the client application to an exe using go build -o client.exe client.go

start the server and client malware and go to the set domain, e.g. https://localhost/clients:8443

How to use

After running the malware on a target computer, go to the set domain.

Screenshot_20240713_065844

Use the buttons to send commands to the client

  • Sleep: Pauses the client for a specified time, keylogging and beaconing are halted and keylogs are exfiltrated and deleted
  • Pwn: Sends a customized pwn message to the client
  • Shutdown: Gracefully shuts down the client, halts all logs are exfiltrated and deleted
  • Show Keylogs: Shows the exfiltrated logs on the site

About

C&C Malware created in Go

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages