KittyStager: stage 0 C2 comprising an API, client, and malware

stage 0 payload

KittyStager

KittyStager is a stage 0 C2 comprising an API, client, and malware. The API is responsible for delivering basic tasks and shellcodes to be injected into memory by the malware. The client also connects to the API and allows for interaction with the malware by creating tasks. The goal of KittyStager is to deploy a simple stage 0 payload onto the target system and gather enough information to adapt the payload to the specific target. As the stage 0 payload is intended to be as stealthy as possible, it does not include any command execution capabilities.

This project is made for educational purpose only. I am not responsible for any damage caused by this project.

stage 0 payload

Features

  • A simple cli to interact with the implant
  • API :
    •  A web server to host your kittens
    •  HTTPS
    •  Yours files in /upload are available on /upload
  • Reconnaissance :
    •  Hostname, domain, pid, ip…
    •  AV or EDR solution with wmi
    •  Process list
  • Encryption :
    •  Key exchange with Opaque
    •  Chacha20 encryption
  • Malware capabilities :
    •  Create thread injection
    •  Bananaphone (Hell’s gate variant)
    •  Halo’s gate
    •  ETW patching
    •  Sleep with jitter
    •  Remove of the binary from disk
  • Sandbox :
    •  Check ram
    •  Check a none existing website
  • Payload :
    •  Raw shellcode
    •  Hex shellcode
  • Build :
    •  Generate the kitten from the config file
    •  Compile the kitten with go & garble
    •  Sign the kitten with a copied certificate
    •  Generate description

Some settings can be changed in the config file

Architecture

The project is divided into 3 parts :

The crypto part, kitten, config, and tasks struct are in internal.

Install & Use