bt2 is a Python-based backdoor in form of a IM bot that uses the infrastructure and the feature-rich bot API provided by Telegram, slightly repurposing its communication platform to act as a C&C.
Dependencies
Installation
$ sudo pip install telepot
$ sudo pip install requests
PS: Telepot requires minimum of requests 2.9.1 to work properly. Limitations
Currently the shellcode execution component is dependent on ctypes and works only on Windows platforms.
Usage
Before using this code one has to register a bot with Telegram. This can be done by talking to Botfather - after setting up the name for the bot and username you will get a key that will be used to interact with the bot API.
For more information see Telegram bots: an introduction for developers
Also, it is highly advisable to replace 'botmaster ID' with the ID of the master, locking the communication between the bot to the specific ID of the botmaster to avoid abuse from unauthorized parties.
$ python bt2.py
Resources
We published a blog post with a few more details on command and control platforms and how to use the tool: https://blog.blazeinfosec.com/bt2-leveraging-telegram-as-a-command-control-platform/
Known bugs
- After launching a reverse shell and exiting from it, all commands sent to the bot have duplicate responses.
- The 'kill' functionality is not working as it should.
- After successful execution of shellcode, the bot dies. Upon return it fetches the previous messages from the server and executes the shellcode again. Need to find a way to avoid fetching of previous messages.
Author
- Julio Cesar Fort - julio at blazeinfosec dot com
- Twitter: @juliocesarfort / @blazeinfosec