Python NTP Trojan

After playing CCDC a bunch, I wanted a RAT that would call back using a highly innocuous protocols and then carry out actions to either troll or reopen full shell access (via other backdoors) to the system in a fairly non-interactive way. In this way, I was hoping this more covert trojan could persist longer than my other shells. This lead me to create a trojan that uses NTP as it's command and control channel, as the channel is fairly non-obvious and NTP traffic is also common. The trojan is fairly asynchronous, being rooted in UDP, and and while it currently doesn't have a way to return it's output to the server it will check in and run hardcoded routines based on the time value it receives. The best way to know it's still there is when it checks in for new commands. The goal here is that it can drop silently drop firewall rules, add a user, run other backdoors or just troll the victim. To accomplish this async call back, I like to set it up to run every 5 minutes, calling out to the C2 server for more commands or just to get the time.

This can be done w/ a simple cron job, as follows:
Or you could do it on Windows with a scheduled task, such as:
You can also run this at a specific time on Linux using an At job like so:
Likewise on windows you could use At job like so:
I hope to improve this trojan by making it more stealthy and adding to it's aysnc features over time. Ultimately, I would like to see it look more like Mubix's Luminia, only without worming and specifically triggering off the NTP service for it's commands to run.



Once again, if you didn't get it before, checkout my NTP Trojan!