Skip to content
/ IERat Public

A basic C2 Framework with an internet explorer based agent

Notifications You must be signed in to change notification settings

uvzz/IERat

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

74 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

LinkedIn


Logo

A simple C2 framework against browser isolation proxies

(for testing / research purposes only!)

poc

About The Project

While I was penetration testing networks that use browser isolation proxies, I noticed that my malware is unable to communicate with its C2 server, although I used a cloudfront.com domain using domain fronting. I could access it via a web browser without any problem. After a little research on browser isolation products, I found that these proxy servers inject JavaScript files to the browser, enforcing their policy and changing the entire structure of the DOM. Therefore, the server responses will go through the proxy and will be re-rendered as images/SVG so only the browser will be able to understand them.

But, I noticed that what’s inside the tag, such as the page title and tags will remain untouched (not tested yet on all solutions) There, a possible C2 communication would be:

Client-> HTTP requests via browser automation -> C2 server -> HTTP page with a payload inside the headtag, e.g. favicon value -> browser isolation proxy -> browser controllered by client -> client

The client uses a COM object and sends requests using Internet explorer, then extracts the favicon base64 value from the C2 server responses, which is controlled by the user to send commands through a simple console UI. This can be further developed to upload/download files, use HTTPS, and convert the client to a PowerShell script.

antiscanme

Prerequisites

Set the BaseURL address to your C2 server address before compling the client in IERat.cs

.NET Framework 4.8 for the client.

.NET Core 5.0 for the server.

Installation

To run the server on Linux, you should install dotnet-runtime-5.0

Example for Kali/Debian:

  • Install and run the server on port 443:

    wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb
    sudo dpkg -i packages-microsoft-prod.deb
    sudo apt update
    sudo apt install -y dotnet-runtime-5.0
    sudo dotnet IERatServer.dll --ip=* --port=443
    
  • All compiled module DLL files should reside inside the Modules directory of the server. They are set to compile inside this folder in the project configuration.

Features

  • Connect to several C2 servers at the same time
  • File downloads/uploads (very large file transfers can be unstable for now)
  • Keylogger module
  • Screenshot captures
  • AV detection
  • UAC Bypass (Taskmanager cleanup task method)
  • Webcam capture module
  • Chrome passwords module
  • All modules are loaded from RAM

Roadmap

  • HTTPS Support
  • Persistence
  • VM detection
  • Load and run PowerShell scripts from RAM using Automation runspace

Available Commands

Management Commands
=====================
agents - Print information about the active agents
history - Print information about commands and their results
interact <agent number> - interact with an agent
timeout <number> - set the inactivity time in seconds for agent disconnections
clear - clear the CLI from messages
exit - kill the server

File Commands
===============
ls - list folders and files in the agent's current directory
mv <source> <destination> - move a file or a folder, change a file's name
cp <source> <destination> - copy a file or a folder
rm <destination> - delete a file or a folder
upload <location on server> - upload a file to the agent's current directory
download <location on agent> - download a file to to the loot folder
exec <file to run> - execute a file

Spy Shit
==========
screenshot - take a screenshot of the active desktop
keylogger <start/stop/collect/clear> - start/stop a keylogger thread, collect results or clear them
capture_camera - capture a webcam image of the user jerking off or something...

Credentials
=============
chrome - get all chrome passwords

Privileges
============
uacbypass_taskmanager - bypass UAC using the taskmanager cleanup task method

Command execution
===================
shell - run a shell command using cmd.exe (not recommended)


About

A basic C2 Framework with an internet explorer based agent

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages