C2 with Shiba Inus
What and Why?
If you weren’t aware, C2 stands for Command and Control, something some people could go on about for hours, so to put it simply — it’s telling computers what to do, whether it’s just telling your computer to do stuff without you having to do it yourself, or utilising hundreds of compromised machines to do your bidding.
I like developing C2 stuff because it’s genuinely really interesting once you look into how people try and hide their communications with the target machine(s), because the most difficult part of Command and Control isn’t developing it or getting the Agent onto the target, but making it hidden.
For example, many C2 Servers work primarily on http/https, because traffic-wise visiting a webpage every so often looks a lot more normal than a computer sending text back and fourth to some random external IP.
Some criminals, bad-actors, governments, those kind of people, like to get very creative with their tactics when it comes to sophisticated C2 development; but what makes C2 sophisticated? Sure, it’s probably not getting caught and staying off the radar consistently, but specifically it all comes down to Steganography.
I was thinking about how some bad-actors have gone as far as hiding data in images when sharing information, and I got the idea to develop a C2 Server that distributes instructions / commands through images.
The plan is to make a C2 Server that controls machines with commands hidden in images, but if we really want our images to fly under the radar, we need to use images that anyone would use the internet to view over and over, with no ill intentions. Fortunately, I have the perfect idea.
Operation: Shiba C2
Everyone loves dogs. If you prefer cats I understand, but not really. Plus, the perfect breed of dogs for this? Shiba Inus! Both beloved and popular for early internet memes and jokes. (they’re also very cute)
This C2 Server will operate under a HTTP Server written in Python, just like the agent. The C2 System will need 4 main functions:
Server: Setting Tasks for Compromised Machines
- Getting a photo of a Shiba Inu
- Hiding Tasks in the photo of the Shiba Inu
- Providing the photo on the C2 Webserver
Agent: Receiving and Executing Tasks
- Checking the C2 Webserver every so often
- Downloading Shiba Inu photos
- Finding Tasks in photos
Agent: Sending Task Results
- POSTing the results to the C2 Webserver
Server: Receiving Task Results
- Receiving data separate from the photo hosting on the Webserver
Setting “Tasks” for compromised machines
On the C2 Server, I plan to have the Tasks (photo of a Shiba Inu) hosted on the webserver at the root, so the URL will look something like: http://(ip):(port)/
But how will we get the photos? Well recently I discovered a brilliant API dedicated to random photos of Shiba Inus that we can use.
Receiving and Executing Tasks
How Agents for http/https C2 Servers usually check if they have any Tasks to do is GETting the webpage of the C2 Webserver with delays inbetween.
Considering we’re using photos here, I think the solution should be to just serve the photos on their own instead of a full webpage, as this photo will secretly have a secret Task inside of it. And if there are no tasks, we can just return a code like 404 or 500.
Sending Task Results
If we’re hosting the Tasks/Photos at the root of the C2 Webserver, we’ll need the Agent to POST data to a different part of the website, so I think it will be fitting to have Agents POST to /dog-feedback, because customer satisfaction is the number one priority for Shiba Inu photo sharing sites.
In the end, I didn’t make the client send data back hidden in Shiba Inu images, I just made it send the data back encoded in Base64. Is this a good idea? No. Do I care? No. But it is a good idea to keep in mind for later when we go over potential improvements.
Receiving Task Results
Pretty simple; just get data sent to /dog-feedback, decode it using Base64 and show it in the terminal.
IMPORTANT: Remember when developing Web Based C2 Servers like this to ALWAYS have the list of tasks set to nothing automatically when you receive the task result, otherwise you can get a loop of the client executing the same thing over and over - paired with little to no delay and your secret implant turns into a monkey with clash cymbals.
Developing the Shiba C2 Server
Although I did this all in Python, you can use your language of choice.
First, I need a way to get images of Shiba Inus on the fly, here’s function I made using requests and the Shiba Inu API
Now, we can get the photo of a Shiba Inu, but how will we hide our data in it? Because I’m dumb, lazy, and incapable, I just decided to add on $DOGE$(task encoded in base64) at the end of the files. To be fair to myself, it doesn't stand out against the rest of the binary data and doesn't nescesarrily make any visual difference.
This also means decoding messages will be very easy for the Agent:
Now we need Tasks to put in the images. Although it’s probably not best practice, for simplicity I just had a file named tasks.txt that would hold commands to be read.
Ok, we can make the images with Tasks in them, time to host it on a http server. I used Flask for this, because it’s very simple to add routes and develop with. I also needed to add the /dog-feedback path to handle the Agent submitting Task results:
Alright, that seems to be the server done! Let’s test it
tasks.txt: "whoami"
d2hvYW1p -base64-> whoami
Success! Now, time to develop the C2 Agent.
Developing the Shiba C2 Agent
The Agent will work on a loop, and the first part of this loop is checking the C2 Webserver for tasks, or in our case Shiba Inu photos.
The second part of the loop is, if there is one, executing the Task.
And finally, submitting the result of the Task to the C2 Webserver
Now, putting them all together to create the loop the Agent will run on:
Testing the Shiba C2
Time for the test! I’ll be testing with the Task/Command whoami.
I hypothesise, or at least hope, that:
Agent checks for tasks -> Server reads Task -> Server displays photo with task in it -> Agent finds task in photo -> Agent Does Task -> Agent Sends Task Results -> Server Displays Task Results
But now is the time for the actual test, I will run the Server and then the Agent with whoami in tasks.txt.
Terminal Outputs (Server / Agent)
Internet Traffic
Final Notes
Well it worked! But, there are still improvements to be done before Operation Shiba C2 can take over the world.
Full Shiba Inu Communications
I could always integrate the system I used to encode messages into Shiba Inu photos in the Agent in order to have all communication in Shiba Inu photo form, but that actually may be arguably more alerting than just submitting data to a website.
Task Management
As I mentioned earlier, the C2 Server keeps it’s tasks in tasks.txt, but it may be better to hold the tasks in memory. Not just that, but currently the functions to read tasks can only read one task at a time, where some C2 Servers can go through a list of tasks given and give them to the Agent.
HTTPS
Although we used images of cute dogs to hide our malicious traffic, it’s still unencrypted, which by today’s standards is suspicious just for that. Thankfully, with Flask it’s as easy as using OpenSSL to turn your HTTP server to a HTTPS one, which will have all traffic encrypted.
Setting Tasks
Sure, this can execute a command in a file, but what if we want full C2? Instead of just putting commands into a file, we could have a live input to set tasks like a shell. This can easily be done by just setting the C2 Server as a seperate thread which will practically make it shut up until it has something to say, which will allow us to give input inbetween the Server telling us Task results.
