evil mass storage *AT90USBKEY2 (poc-malware-tool for offline system)
MIT License
This is the official post to ask about this project:
An awesome article about the project by Daniel Brooks (better explained than this post):
Please, consider make a donation: https://github.com/sponsors/therealdreg
DM via Twitter @therealdreg https://twitter.com/therealdreg
WARNING: this is a DIY-POC just for fun and the code is pure crap x-), btwmy english sucks and I am a hardware noob. btw, CORSAIR KEYBOARD can cause problems with ATMEL ICE, put the keyboard in BIOS MODE
my roapt v1 board
The objective of this project is to create an USB device to exfiltrate data from an isolated environment via radio frequency using 433MHz ASK, this allows us to exfiltrate small amounts of information such as digital certificates without the need for an internet connection and at a considerable distance with great penetration unlike 2.4GHz.
In a physically isolated environment such as a Faraday cage we can use an alternative version which exfiltrates the information (crypted-first) to a micro SD. It's important to understand that this is very different from a rubber ducky, while the rubber ducky acts as a fake keyboard the evil mass storage its composed of keyboard + radio frequency exfiltration system + mass storage, this gives us a very versatile tool.
Now let's see it in a more detailed way:
All the source code its available inmy github:
WARNING: This is not a rubber ducky! xD
if you want to play with this kind of stuff the prototype board is: AT90USBKEY2 (at90usb1287)
If you dont like AT90USBKEY2 (at90usb1287) and you know what are you doing, you can port my code easily toTeensy++ 2.0 Development Board (AT90USB1286):
I developed a private version of evilmass storage using Teensy++ 2.0. This version will never be public (dont worry, its pure crap xD). Btw, Teensy++2.0 board (16 MHz) is faster thanAT90USBKEY2 (8 MHz).
USB can be a little pain in the ass. I recommend to read two essentials books by Jan Axelson:
The book's code its not for AVR-8 bit, but its very well explained.
The first prototype was this chaos:
Well, wtf is this then?
The POC is very simple, it has a SD card with themalware encrypted (a crap-XOR, remember this is an AVR-8mic).
If you connect the USB N times, themicrocontroller removes themalware from the SD. To do this, the usb device only needs POWER. Then, if the researcher plugs some times the device ... bad luck xD
The idea of the POC is only to infects one target machine. If you connect the USB to other PC the device will work as a normalmass storage (btw very slow because SPI for SD).
Demo video (in Spanish):https://youtu.be/-K6MMVyKEv0?t=346
The victim connects the USB device.
To make forensic work more difficult the device can randomize the VID/PID, serial disk and all relevant forensic-USB-data in each connection(the uploaded POC only changes this info in some stages):
The USB device its an USB composite device (not an USB HUB, again... read the books!!). Windows will detect it as a new keyboard and a new mass storage device.
The keyboard-device opens a run window (WIN + R) and starts to bruteforce the asigned letter for mass storage in order to execute the stored .exe in our mass storage. This exe its not the malware, its the first stage. It retrieves useful information like user name and writes it into the mass storage.
The microcontroller gets the SCSI command and if the info it's correct it resets the USB connection, at this moment themalware is at the mass storage. This malware its decrypted (the POC uploaded its only a crap-XOR) using the information written in the mass storage... if evil mass storage it's not connected to the target computer, malware won't be in it.
The malware is executed and the microcontroller removes all sectors of the malware from the SD.
From this moment, the USB device will only work as a regular USB mass storage (keyboard part is removed). The VID-PID + other USB info gets changed again.
The malware exfiltrates data writting the mass storage and the microcontroller resends the information via rf 433MHz ASK (helped by an atmega328p). It also supports the exfiltration via the SD card (encrypting the information first).
NOTE: This attack its only useful to steal little info because SPI slow, RF 433MHz bandwich..
Currently experimenting with two ARM Cortex-M4 32 bit boards: FRDM-K66F MK66FN2M0VMD18 and Teensy 3.6 MK66FX1M0VMD18 (Paul J Stoffregen + an awesome community pjrc + a lot of code).
What I am looking for:
NOTE: ARM Cortex-M4 its very very complex compared to AVR-8 bit, you should read this (hard) book:
Teensy 3.6 ARM Cortex-M4 (NXP Kinetis MK66FX1M0VMD18) 180MHz:
ARM Cortex-M4 at 180 MHz
Float point math unit, 32 bits only
1024 Flash, 256K RAM, 4K EEPROM
USB device 12 Mbit/sec, USB host 480 Mbit/sec
64 digital input/output pins, 22 PWM output pins
25 analog input pins, 2 analog output pins, 11 capacitive sense pins
6 serial, 3 SPI, 4 I2C ports
1 I2S/TDM digital audio port
2 CAN bus
1 SDIO (4 bit) native SD Card port
32 general purpose DMA channels
Cryptographic Acceleration & Random Number Generator
RTC for date/time
FRDM-K66F (NXP Kinetis MK66FN2M0VMD18):
Performance
System and Clocks
Security
Timers
Human-machine interface
Memories and memory expansion
Analog modules
Communication interfaces
my pull request adding new ClassDriver MassStorageSDKeyboard Demo for LUFA - the Lightweight USB Framework for AVRs:
Original sources and programs for AT90USBKEY2 + own code & patches:
my talk in english (translated by who knows):
just my own adaptation for mass storage sd card and keyboard for AT90USBKEY2:
presentation:
Backup article by Daniel Brooks (better explained than this post):
FatFS + TTL UART + MICRO SD + ATMEL ICE JTAG DEBUGGING:
NOTE:I have no plans to make/sell more roapt v1 boards. I don't want to spend money on this xD.
ARM POC version is coming