Linux keylogger that uses Twitter as a covert channel
by TheBadKitten - October 19, 2020 at 01:49 PM
Linux kernel level keylogger uses Twitter as a covert channel to get information about keystrokes and user data into the attacker using steganography.

Kernel Keylogger
Within the Source directory, we have our keylog.c file which is the keylogger which is essentially installed to the kernel as a kernel module. This keylogger works by intercepting the keyboard's event handler and adds a callback function so that every time a key is pressed. The custom function we wrote will be invoked. The function will store the key presses and other information (such as the timing of keypresses) into a struct. This struct is the buffer in the memory to hold the keylogging data. We then eventually will store this data into a text file for processing.

Phishing Application
Then, we have several directories for the other tools surrounding the keylogger. The PhishingApplication directory contains the source code and binary for the CurrencyConverter which serves to fool the user and install the keylogger into the system. This is all the victim needs to have the keylogger installed into their system. Once a user runs the phishing application. The application will download the keylogger program in the background, install the keylogger, and run the scheduler.

Text analysis
The Analysis directory contains the tool to filter out useless keystrokes and obtain useful information from the keylogger files. Such as credit card info and user information.

Twitter bot and scheduler
The source code can be found in Scripts folder. The client_script performs scheduling, encrypting messages, stenographic image,s and sending it through Twitter. Contains server_script for the attacker to receive back the information. Contains configuration file for changing some other important values (GET URL, API keys, schedule time). The idea so that we can apply different Twitter users too for different infected computers.

Keylogger and Covert Channel Explanation
The keylogger is installed at the kernel level, which makes it harder to detect. The program has been tested with antivirus software and remained undetected.

To communicate with the attacker secretly, we use a covert channel through Twitter. We aren't directly communicating with the attacker so communication activity isn't as suspicious. Because Twitter is public actually anyone can retrieve back the information from any Twitter profile, which makes it difficult to find who is actually looking at the photos. But the information is encrypted and discreet, it would be difficult for anyone to see if there is such information stored in the photo. So we can say we have two-layer protection in regards to keeping the information secret from the attacker. First, the information is hidden and cannot be distinguished by the human eye. Second, the information is encrypted and would be computationally expensive to decrypt. It might also be difficult to tell if there is actually information because the encrypted text could just look like a series of random characters that are obtained from looking at the image pixels in a certain way. So they can never be certain that there is information inside.

Not mine. Just Sharing! Get Source Code here:
thank you, will try this out. HQ release

Possibly Related Threads…
Thread Author Replies Views Last Post
apkbleach 2.0 - This software was developed specifically for Kali-Linux to obfuscate teamkelvinsecteam 0 37 8 hours ago
Last Post: teamkelvinsecteam
Keylogger For Linux teamkelvinsecteam 1 129 October 31, 2020 at 08:31 AM
Last Post: Risen123
Unicorn Framework is a Linux post-exploitation framework that exploits Linux TCP teamkelvinsecteam 0 107 October 23, 2020 at 01:59 PM
Last Post: teamkelvinsecteam

 Users browsing this thread: 1 Guest(s)