/SharpGmailC2

Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol

Primary LanguageC#MIT LicenseMIT

SharpGmailC2

Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol

Used:

  1. EAGetMail library from Nuget Package Manager.
  2. Costura and Costura Fody from Nuget Package Manager, in order to bundle up all the dlls altogether. This actually bulked up my implant, but for this case, I don't think that will matter much as this implant is FUD till now :).

Precausions to be taken by Operator before Using Gmail as C2:

  1. Make sure the Command sent via Gmail, is in Unread Mode (if not, mark as Unread) as the implant scans the Last/latest Unread mail and checks whether it starts with "in:" or not. If it does start with "in:", it understands that, that particular textbody is a legit command, and marks that particular mail as Read and this continues till the end.

Here is the snippet:

latest_unreadMail

C2 In-Action:

GmailC2.mp4

Quick Scan:

  1. Using @matterpreter's DefenderCheck:

DefenderCheck

  1. Using Antiscan.me:

AntiScan.me

  1. Capa Scan:

capa_scan

It seems like capa is not able to detect the capabilties of my Client implant at all. But definitely creates suspicion, forcing the Malware Analyst to give the binary a second look.

  1. WireShark Packet Capture:

smtp_capture

We can see that the sent commands via Operator via Gmail and the informations that are exfiltrated/ sent out are all encrypted by Gmail's TLS encryption. On top of that, the ip address (marked) isn't suspicious at all, or in other words are OPSEC safe.

ip_lookup

Credits:

  1. Inspired by NamedPipes from malcomvetter.
  2. Much much much thanks to @SoumyadeepBas12 for helping me out with the proper code structure of this project! 😃