Many companies are using DropBox as a sharing tool and for hosting data. Therefore it is unusual that traffic towards DropBox servers would be restricted or classified as malicious domain. However it is possible to abuse the functionality of DropBox and to use it as a command and control tool.

This can be achieved through the DropBoxC2 tool which uses the DropBox API for communication between the controller and the implant, it is stealthy since it is running completely in memory and  traffic is encrypted.

Installation of DropboxC2 controller is easy and quick.

git clone https://github.com/Arno0x/DBC2 dbc2
cd dbc2
pip install -r requirements.txt
chmod +x dropboxC2.py
DBC2 - Download and Install Requirements
DBC2 – Download and Install Requirements

The communication from the controller to the implant is performed through the DropBox API. Therefore a new application needs to be created in order to generate an API key.

DropBox Application Generation
DropBox Application Generation

The API key needs to be entered in the config.py file (defaultAccessToken parameter) otherwise the user needs to insert the key every time that the DBC2 starts.

When DropBoxC2 runs the user needs to choose a master password that it will be used to encrypt all data between the agents and the controller.

DropBoxC2
DropBoxC2

Modules and Stage needs to be published on DropBox prior to any usage:

publishStage dbc2_agent.exe
DropboxC2 - Publish Stage
DropBoxC2 – Publish Stage

A file will be generated on the DropBox which it will be XOR encrypted.

DropBox - Stage Published
DropBox – Stage Published

DropBoxC2 can generate various stagers (implants) from a simple .bat file to msbuild and sct that can bypass AppLocker and from rubber ducky to macro giving the ability for multiple scenarios of exploitation during the red team engagement.

DropBoxC2 - List Available Stagers
DropBoxC2 – List Available Stagers

Generation of stagers is easy with the following commands:

genStager oneliner default
genStager batch default
DBC2 - OneLiner Stager
DBC2 – OneLiner Stager
DBC2 - Bat Stager
DBC2 – Bat Stager

From the moment that the stager will executed on the target host will start to beacon and an Agent ID value will be generated and associated with the beacon.

DBC2 - List Available Agents
DBC2 – List Available Agents

Two files will be generated on the DropBox which will declare the status of the agent and the commands that will be delivered to the target. The contents of these files are encrypted in order to maintain the confidentiality of the communication.

DropBox - Agent Generated Files
DropBox – Agent Generated Files

The agent ID can then be used in order to interact with the target and execute commands.

DBC2 - Command Execution
DBC2 – Command Execution

DropBoxC2 has also the ability to transfer files, execute PowerShell commands through an interactive shell and obtain a screenshot from the target host. It also supports keylogger functionality and can start another process. Some of the commands can be found below:

sendFile
getFile
shell
screenshot
DBC2 - Transfer of Files
DBC2 – Transfer of Files
DBC2 - PowerShell
DBC2 – PowerShell
DBC2 - Screenshot
DBC2 – Screenshot

Additionally various PowerShell modules can be used in order to perform further tasks like obtaining a reverse shell, dump passwords hashes or retrieving clear-text passwords from memory.

DropBoxC2 - Publish Modules
DropBoxC2 – Publish Modules

Alternatively there is another tool (DropBoxC2C) which utilizes DropBox as a command and control tool. However it is more simplistic and it doesn’t provide the functions of DBC2.

References

https://github.com/Arno0x/DBC2

https://github.com/0x09AL/DropboxC2C

1 Comment

Leave a Reply to DeltaK Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s