MEATPISTOL is a framework for creating stealth implants that support persistent adversarial operations
Post exploitation tool, not for getting in
All the decent malware was only for Windows
Publicly available OSX malware didn't have encrypted comms or persistence or interactive shell
Wrote a Python-based reverse SSH tunnelling tool that used Twitter for C2 resolution, CronTab/LaunchDaemon for persistence, with random scheduling and an obfuscated generator script.
Wrote SSH client / servers in Java and Bash
Problem: have to configure new C2 infrastructure for each piece of malware
The ideal tool
Select features for malware implant
C2 infra set up automatically: each C2 endpoint is unique, keys taken care of
Each malware sample is unique. (That way, defenders can't find it in VirusTotal.)
MEATPISTOL features
Modular C2 methods like Reddit, Twitter, a server, etc
Can use multiple C2 methods, too
Multiple persistence modules
Generate malware is custom to machine, based upon some system info
That way, when you throw malware in sandbox it's not detected
Feed in PCAP and simulate it over the wire
Can exfiltrate traffic over multiple connections
How they built it
The core
Essentially a microkernel that runs module functionality
Is in golang, so it can run on Mac/Windows/Linux
Has a event loop
Has a scheduler loop
Types of modules
file: get files to/from remote PC
exec: get shell
c2
loot
hide: clean up artifacts of persistence
persistence
Channel API for modules
read()
write()
attach() - similar to file open
detach() - similar to file close
close() - after this, no more writes will happen
Learning lessons
Great CLI tools are human. MEATPISTOL displays a Taylor Swift quote on startup and displays MEATPISTOL
ASCII art before exiting
Minimize the amount of typing the user has to do. Add default arguments everywhere it makes sense