Skip to content

Spacebin is a proof-of-concept malware that exfiltrates data (from No Direct Internet Access environments) via triggering AV on the endpoint and then communicating back from the AV's cloud component.

master
Switch branches/tags
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 

README.md

Spacebin

Spacebin is a proof-of-concept malware that exfiltrates data (from No Direct Internet Access environments) via triggering AV on the endpoint and then communicating back from the AV's cloud component.

It was released as part of the THE ADVENTURES OF AV AND THE LEAKY SANDBOX talk given at BlackHat USA 2017 conference and DEF CON 25 by Itzik Kotler and Amit Klein from SafeBreach Labs.

Slides are availble here and White paper is avialble here

Version

0.1.0

What's Inside?

  1. bingroundctrl is a directory with the server-side code.

  2. binrocket is a directory with client-side code. It's the Python script that generates a rocket (i.e. C file that packs the binary satellite)

  3. binsatellite is a directory with more client-side code (i.e. Visual Studio 2015 Solution). It's the actual binary satellite.

Instructions

  1. There's a batch file called go.bat that does pretty much everything on the client side aspect. It takes optional command line argument (i.e. go.bat "Secret Data") that will be the payload. If not, "Hello, world" is the default.

  2. The go.bat assumes two things: That you're running it from "Developer Command Prompt" (i.e. CL is in your PATH) and that you're running it from the spacebin root directory. The latter is important because it uses relative-path to "reference" binsatellite Release binary.

  3. The results are rendered in a Web UI that is hosted on: http://YOUR_SITE:8080 the username is YOUR_USERNAME and the password is YOUR_PASSWORD the code this website is inside bingroundctrl and it's a mixture of: tailon (Python app), nginx, tail, grep etc.

  4. To test that everything works as expected:

open the URL, login to the app. Afterward run go.bat with a string (i.e. go.bat "Secret Secret") and see that it appears on the Web UI.

License

BSD 3-Clause

About

Spacebin is a proof-of-concept malware that exfiltrates data (from No Direct Internet Access environments) via triggering AV on the endpoint and then communicating back from the AV's cloud component.

Resources

License

Releases

No releases published

Packages

No packages published