HackTool.Linux.Chisel.B

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Robo de información

Recopila los siguientes datos:

• Hostname

Otros detalles

Hace lo siguiente:

• It creates and sets the name of its child processes using the following:
  • {Malware file name}
• It establishes a connection to the server using WebSocket protocol.
  • {BLOCKED}.{BLOCKED}.{BLOCKED}.123:443
• It accepts input in the following format:
  • For "server": chisel server {optional parameters}
  • For "client": chisel client {optional parameters} {server} {remote addresses}
• Accepts the following optional parameters if "server" is the command:
  • --host, Defines the HTTP listening host - the network interface (defaults the environment variable HOST and falls back to 0.0.0.0).
  • --port, -p, Defines the HTTP listening port (defaults to the environmentvariable PORT and fallsback to port 8080).
  • --key, An optional string to seed the generation of a ECDSA public and private key pair. All communications will be secured using this key pair. Share the subsequent fingerprint with clients to enable detection of man-in-the-middle attacks (defaults to the CHISEL_KEY environment variable, otherwise a new key is generate each run).
  • --authfile, An optional path to a users.json file.
  • --auth, An optional string representing a single user with full access, in the form of {user:pass}.
  • --proxy, Specifies another HTTP server to proxy requests to when chisel receives a normal HTTP request. Useful for hiding chisel in plain sight.
  • --socks5, Allow clients to access the internal SOCKS5 proxy. See chisel client --help for more information.
  • --reverse, Allow clients to specify reverse port forwarding remotes in addition to normal remotes.
  • --pid, Generate pid file in current working directory
  • -v, Enable verbose logging
  • --help, Display help text for the command
• Accepts the following optional parameters if "client" is the command:
  • {server} is the URL to the chisel server.
  • {remote}s are remote connections tunneled through the server
  • --fingerprint, A *strongly recommended* fingerprint string to perform host-key validation against the server's public key. You may provide just a prefix of the key or the entire string. Fingerprint mismatches will close the connection.
  • --auth, An optional username and password (client authentication) in the form: "{user:pass}". These credentials are compared to the credentials inside the server's --authfile. defaults to the AUTH environment variable.
  • --keepalive, An optional keepalive interval. Since the underlying transport is HTTP, in many instances we'll be traversing through proxies, often these proxies will close idle connections. You must specify a time with a unit, for example '30s' or '2m'. Defaults to '0s' (disabled).
  • --max-retry-count, Maximum number of times to retry before exiting. Defaults to unlimited.
  • --max-retry-interval, Maximum wait time before retrying after a disconnection. Defaults to 5 minutes.
  • --proxy, An optional HTTP CONNECT proxy which will be used reach the chisel server. Authentication can be specified inside the URL.
  • --hostname, Optionally set the 'Host' header (defaults to the host found in the server url).
  • --pid, Generate pid file in current working directory
  • -v, Enable verbose logging
  • --help, Display help text for the command
• It can be used to bypass through a firewall.