Many companies are using DropBox as a sharing tool and for hosting data. Therefore it is unusual that traffic towards DropBox servers would be restricted or classified as malicious domain. However it is possible to abuse the functionality of DropBox and to use it as a command and control tool.

This can be achieved through the DropBoxC2 tool which uses the DropBox API for communication between the controller and the implant, it is stealthy since it is running completely in memory and  traffic is encrypted.

Installation of DropboxC2 controller is easy and quick.

git clone https://github.com/Arno0x/DBC2 dbc2
cd dbc2
pip install -r requirements.txt
chmod +x dropboxC2.py
DBC2 - Download and Install Requirements

DBC2 – Download and Install Requirements

The communication from the controller to the implant is performed through the DropBox API. Therefore a new application needs to be created in order to generate an API key.

DropBox Application Generation

DropBox Application Generation

The API key needs to be entered in the config.py file (defaultAccessToken parameter) otherwise the user needs to insert the key every time that the DBC2 starts.

When DropBoxC2 runs the user needs to choose a master password that it will be used to encrypt all data between the agents and the controller.

DropBoxC2

DropBoxC2

Modules and Stage needs to be published on DropBox prior to any usage:

publishStage dbc2_agent.exe
DropboxC2 - Publish Stage

DropBoxC2 – Publish Stage

A file will be generated on the DropBox which it will be XOR encrypted.

DropBox - Stage Published

DropBox – Stage Published

DropBoxC2 can generate various stagers (implants) from a simple .bat file to msbuild and sct that can bypass AppLocker and from rubber ducky to macro giving the ability for multiple scenarios of exploitation during the red team engagement.

DropBoxC2 - List Available Stagers

DropBoxC2 – List Available Stagers

Generation of stagers is easy with the following commands:

genStager oneliner default
genStager batch default
DBC2 - OneLiner Stager

DBC2 – OneLiner Stager

DBC2 - Bat Stager

DBC2 – Bat Stager

From the moment that the stager will executed on the target host will start to beacon and an Agent ID value will be generated and associated with the beacon.

DBC2 - List Available Agents

DBC2 – List Available Agents

Two files will be generated on the DropBox which will declare the status of the agent and the commands that will be delivered to the target. The contents of these files are encrypted in order to maintain the confidentiality of the communication.

DropBox - Agent Generated Files

DropBox – Agent Generated Files

The agent ID can then be used in order to interact with the target and execute commands.

DBC2 - Command Execution

DBC2 – Command Execution

DropBoxC2 has also the ability to transfer files, execute PowerShell commands through an interactive shell and obtain a screenshot from the target host. It also supports keylogger functionality and can start another process. Some of the commands can be found below:

sendFile
getFile
shell
screenshot
DBC2 - Transfer of Files

DBC2 – Transfer of Files

DBC2 - PowerShell

DBC2 – PowerShell

DBC2 - Screenshot

DBC2 – Screenshot

Additionally various PowerShell modules can be used in order to perform further tasks like obtaining a reverse shell, dump passwords hashes or retrieving clear-text passwords from memory.

DropBoxC2 - Publish Modules

DropBoxC2 – Publish Modules

Alternatively there is another tool (DropBoxC2C) which utilizes DropBox as a command and control tool. However it is more simplistic and it doesn’t provide the functions of DBC2.

References

https://github.com/Arno0x/DBC2

https://github.com/0x09AL/DropboxC2C

Advertisements