Introduction

At Blaze Security we are always looking for new ways to further improve our engagements. As every penetration tester knows, post-exploitation is a crucial step for successful compromise and further penetration deep inside the network. Maintaining a strong foothold within the target organization is key.

Hence, we have created Blaze Telegram Backdoor Tool (bt2), a proof of concept post-exploitation tool in form of a Telegram bot that serves as a backdoor.

Command and control (hereafter referred as "C&C") comes in different forms, shapes and flavors. Early C&C infrastructures used IRC protocol to establish a connection between the target and the master. This was also a a very common set up in botnets of early 2000s, when IRC was still a thing.

Taking advantage of popular on-line services and re-purposing them to serve an adversary's goal has happened before, and will surely happen in the future. Social media-based botnet C&C are not necessarily a new phenomenon - since at least 2009 threat researchers have found and documented bot-based backdoors on Twitter.

bt2 is a Python-based backdoor in form of a IM bot that uses the infrastructure and the feature-rich bot API provided by Telegram, slightly re-purposing its communication platform to act as a C&C.

bt2 features include functionalities common to backdoor-like tools such as command execution, connect-back shell, download and upload of files, a component to load and execute user-supplied shellcode and more.

As the proof of concept was developed in Python, it works in multiple platforms with exception of the shellcode execution component (Windows only).

The bot sits on the Telegram network waiting for commands originating from the botmaster. The master can control the bots from any Telegram client, either desktop, command line or mobile, allowing for unparalleled flexibility when performing post-exploitation against a target.

We have chosen Telegram due to its ever growing popularity and reliable infrastructure and because it communicates via standard HTTPS protocol, making it extremely useful in circumventing several corporate network filters.

bt2 does not support encryption between the client and the server for the sake of maintaining the aforementioned flexibility. Although possible to implement, an encrypted communication channel will require a purpose-built Telegram client and this is currently not in the future plans for this tool.

The tool can be found in Blaze's Github.

DISCLAIMER: bt2 is a mere proof of concept and by no means intends to breach the terms and conditions of Telegram. Additionally, it was developed for usage in legitimate penetration testing engagements and neither the author nor Blaze Information Security can be liable for any malicious use of the tool.

Usage

After the initial set up of creating a bot (not discussed here, please refer to this link), all you need is to start a conversation with it.

The command '/help' provides a self-explanatory list of commands along with a basic usage of the tool:

Below you can see the tool in action, taking advantage of its functionality to get information about the system, list commands and download a file:

Along with the bot itself, the Github repository contains a script to aid the generation of shellcode in a format the tool will process. Essentially, it is possible to copy your favourite shellcode from Metasploit, paste it inside the tool and it will automatically convert it to a base64'd bytearray format, ready to be sent down the wire and execute the code.

<img src="/content/images/2016/05/executing_shellcode.png"

As with any other piece of software, this is not perfect and there are already a few known bugs. Contributions are very welcome, so if you feel like improving upon it just fork the repository and don't forget to send a pull request.

Conclusion

We hope this tool and the ideas laid out in this article can be beneficial for other information security consultants too.

With this article we wanted to share with the rest of the community some of the tools we use in our engagements and to point out the fact that pretty much every on-line service can be re-purposed into a C&C, ultimately serving the goal of an attacker.

References

Lenny Zeltser - When bots use social media for command and control

Arbor Networks - Twitter-based Botnet Command Channel