Simple C2 over Trello’s API (Proof-of-Concept)
By: Fabrizio Siciliano (@0rbz_)
Removed hardcoded API key and Token, use input() instead.
Python 3.x
The Trello API “description” field for cards, which is used for temporarily storing commands and resulting command output, is limited in size. I think it’s something around 16k characters. This is OK for most commands, however, commands that return large output will cause the agent to die due to the Trello API returning a 400 Bad Request (size too large) status. Be mindful of commands and their expected outputs. I’ll eventually work in some logic to determine command output size before sending it back to trello’s servers for operator consumption.
This is not OPSEC-safe. All commands and command output will temporarily pass through Trello’s servers and output will exist in the agents’ “card” in cleartext temporarily. Although the traffic is TLS encrypted (in-transit) courtesy of Trello, and although the operator script makes an effort to “wipe the slate” clear of the command output, there’s no telling whether this information is stored indefinitely. Ideally, the commands and command output should be saved to a “card” in an encrypted format, (i.e., AES), pulled down, and decrypted locally. This hasn’t been built into the tool yet, and in its current state would require the machine the agent lives on to have certain libraries which might not be present in a default situtation. (Something to work on)
The operator script and implant are currently both designed to be run on Linux-based boxes. Windows implants are a work in progress at this point in time.
Note: This is simply a proof-of-concept to demonstrate legitimate services as command and control infrastructure and is 100% in alpha dev. Use at your own risk and on systems you’ve been authorized to access. (i.e., wherever the agent lives)