My current project is wendigo, a malware framework written in python, which uses GitHub for C2. The inspiration was taken from Black Hat Python by Justin Seitz, which featured an example skeleton and the main concepts that are used. I’ve taken some of the design and the basic ideas, but have rewritten almost all of it and made it my own.
The main feature is extending pythons import functionality by extending the path which python uses to find and import code. By adding a class to pythons path and defining the methods to search for and load code we can tell python to look for code on GitHub, download it, create a new module object and add the downloaded code before returning the new module. This little trick means that we can ship a binary (or script) which doesn’t do much, but can then run any other code we tell it to, by dynamically importing new “modules” and running them.
Speaking of which, wendigo first registers by creating a “blank” configuration file on GitHub with it’s unique id, which can then be updated to give instructions on which modules to download and run. These modules are just python scripts that expose a run method, and are hosted where the program can find them to download and load into memory.
This isn’t a replacement (or even comparable) to any of the classic post exploitation frameworks like metasploit/empire/cobal. It’s a flexible and subtle trojan/backdoor/botnet C2/are we even still classifying malware? The main goals are stealth, flexibility and automation. The main program doesn’t do much to prevent behavioral analysis, GitHub isn’t a super suspicious site (and one unlikely to be on the firewall blacklist) and any strings are obfuscated to prevent signature analysis. Yet once running on a victim it can pull code to start key logging, crypto mining, privesc, DDoS the FBI, gain persistence, start a shell, scan the local network, or wherever else your imagination takes you. Or inject that code into another process. All without putting anything suspicious on disk.
Then you can do all of that on the 1000 systems you have compromised, or tailor what you want to achieve on each system, all by updating the configuration files, which can easily be automated. Now that’s what I call a botnet.
My Portfolio 