I am currently learning Golang to complete this project. You can check out my practice-golang Git project.
This project is a sophisticated, multi-platform encrypted backdoor designed with advanced techniques such as fileless persistence, encrypted communication, command execution over DNS, and modular payload delivery. Built with modularity and maintainability in mind, it is split into subprojects for better organization, development, and feature expansion. The project supports Windows, Linux, and macOS and is written primarily in Go, with additional components in C/C++ and Python for optimized memory control and low-level functionality.
This project is for educational purposes only and is intended to help security professionals and researchers understand the potential of multi-platform malware while providing insight into evasion techniques and persistence mechanisms.
- Overview
- Project Structure
- Technologies Used
- Features
- Stages
- How to Use
- Purpose
- Usage
- Disclaimer
- Contributions
- License
This project is organized into multiple subprojects, each responsible for specific features and functionality. By breaking the project into submodules, we ensure scalability, ease of integration, and clear maintainability. The final integration will combine all these modules to create the full malware functionality.
-
Encrypted Communication Module
- Manages secure data transmission between the malware and the Command and Control (C2) server.
- Uses strong encryption algorithms (AES or RSA) to prevent interception.
- Includes encrypted DNS command execution functionality.
-
Persistence and Evasion Module
- Implements fileless persistence techniques, making the malware difficult to detect.
- Includes registry or plist modifications for Windows and macOS systems.
- Employs anti-forensics techniques, such as process injection and memory-only payloads.
-
Command and Control (C2) Module
- Supports HTTPS-based communication to evade network detection.
- Modular design allows for easy updates and modifications to the C2 commands.
- Peer-to-Peer (P2P) capabilities for decentralized control, with fallback mechanisms to avoid reliance on a single C2 server.
-
Modular Payload Delivery Module
- Handles dynamic payload loading from the C2 server.
- Supports features like keylogging, remote shell access, and desktop capture.
- Payload delivery is encrypted to avoid detection.
-
System Interaction Module
- Capabilities include file system manipulation, credential dumping, and data exfiltration.
- Supports compression of data for faster transmission and reduced network load.
-
Anti-Detection Module
- Provides stealth features such as polymorphism, code mutation, anti-debugging, and sandbox detection.
- Adjusts behavior based on the environment, such as avoiding execution in virtual machines or sandboxes.
-
Network-Security Features
- Includes port scanning, tunneling, and network mapping functionalities.
- Enables pivoting through compromised networks to reach additional targets.
- Go (Primary): Handles the core malware logic, communication, and multi-platform compatibility.
- C/C++: Used for modules requiring fine-grained memory control, such as credential dumping and persistence.
- Assembly: Used for low-level interaction with the system and to avoid high-level language footprints.
- Python: Provides an additional scripting layer for high-level functionality and rapid payload development.
- Golang Cryptography Libraries: For handling encryption and decryption.
- libcurl (C/C++): Used for secure network communication.
- VirtualBox, VMware: Used for testing persistence and evasion techniques in sandbox environments.
- Git & GitHub: For source code version control.
- Cross-Compilers: To build binaries across platforms (Linux, Windows, macOS).
- Ghidra, IDA Pro: Used for reverse engineering and testing anti-debugging features.
- Wireshark: For monitoring and testing encrypted communication and DNS command execution.
The malware is designed to include a range of advanced features:
-
Multi-Platform Support: Compatibility with Windows, Linux, and macOS, with each platform receiving tailored persistence and evasion techniques.
-
Encrypted Communication: All communication between the malware and the C2 server is encrypted using AES or RSA, with a fallback mechanism for DNS-based command execution.
-
Fileless Persistence: Fileless persistence is achieved using memory-only payloads and registry/plist modifications, reducing the footprint on disk.
-
Modular Payload Delivery: The malware supports the delivery of additional modules post-infection, including keylogging, remote shell access, and file system manipulation.
-
Anti-Forensics Techniques: Includes advanced evasion methods such as sandbox detection, process injection, and polymorphism to avoid detection by signature-based antivirus solutions.
-
Network-Security Features: Includes port scanning, tunneling, network mapping, and pivoting to target additional systems through compromised networks.
-
Self-Updating Mechanism: The malware can update itself with new features or patches via secure connections to the C2 server.
This stage focuses on setting up the infrastructure, research, and core feature selection. Here, basic functionality will be implemented to ensure compatibility across platforms.
In this stage, the minimum viable product (MVP) of the malware will be created, including features like basic encrypted communication, command execution, and persistence. The primary goal is to have a functional multi-platform backdoor that can establish communication with the C2 server and persist after reboots.
During the release stage, all advanced features like anti-forensics, modular payload delivery, network mapping, and evasion techniques will be added. The malware will be fully functional and capable of self-updating, making it robust enough for real-world use.
This phase focuses on fine-tuning and making the malware more resilient to detection. Advanced features like code mutation, P2P communication, anti-debugging, and stealth techniques will be implemented. The malware will also be optimized for performance across all platforms.
To get started with this project, follow these steps:
- Clone the Repository
git clone https://github.com/dev-bittu/mw.git- Install Dependencies
Install Go, C/C++ compilers, and Python libraries:
sudo apt-get install gcc golang python3- Compile for Target Platforms
Use cross-compilers to generate binaries for each target platform:
GOOS=windows GOARCH=amd64 go build -o backdoor_windows.exe
GOOS=linux GOARCH=amd64 go build -o backdoor_linux
GOOS=darwin GOARCH=amd64 go build -o backdoor_macos- Run the Malware
Deploy the malware on the target system:
./backdoor_windows.exe- Monitor C2 Server
Set up the Command and Control server and issue commands remotely.
This project is designed for educational purposes to help security professionals and ethical hackers understand how advanced malware operates. The goal is to shed light on multi-platform persistence, encrypted communications, and evasion techniques to bolster defense mechanisms against real-world malware.
This software is provided for educational purposes only. The authors take no responsibility for any damage caused by the usage of this software. The user is solely responsible for their actions, and this tool should not be used for malicious purposes.
This malware framework is intended for use in controlled environments like test labs or virtual machines. Do not deploy this malware in real-world systems without explicit permission from the system owners. Misuse of this tool can result in severe legal consequences.
Contributions are welcome! If you'd like to contribute:
- Fork the project.
- Create a new branch.
- Submit a pull request.
Before contributing, please ensure that your code adheres to the project’s coding standards and is properly documented.
This project is licensed under the MIT License. See the LICENSE file for details.
- Metasploit
Some network security and payload features were inspired by the Metasploit framework, especially the modular payload delivery.