Weaponizing wget and wgetrc

This post is related to malwares and this is strictly for educational purposes only . In this blog I will share the method i use for my experimental malwares to exfiltrate data even after the malware is removed or just to reduce network footprint and to make it more stealthy . This method just works for linux . Note:I make malwares just for fun and not for profit or to cause harm . My malwares never leave my own laptop/desktop

Wget is a linux utility that can retrieve content from web and ftp servers and wgetrc is the configuration for wget . The user configuration can be found in /home/user/.wgetrc . You might have to create that file as it is not available by default .

Suppose you made a malware that got executed . Your malware is sending data to your servers . You fear that the malware will get removed or get caught . You want to keep your network footprint to the minimum . In such case you can just send the important data through the malware and use this method to send most of the data .

Make a .wgetrc if the victim’s computer does not have it . If you find the file set a proxy using that wgetrc file . Use file handling to write to that file . It will look some thing like this

Make sure the http and https server your command and control server . Now set some custom headers such as X-result . Make sure the value of the header is the data you want to exfiltrate . For example if you ran the command “whoami” . The value will be the user or root . Now write “header = X-result:[data]” to that file . It will look something like this.

The wgetrc file

And for the backend you need to run a proxy server that is capable of logging request headers . Here I am using burp proxy server for this poc . Now when the victim will try to use wget the data will be exfiltrated through the proxy server . This will let your malware exfiltrate the data stealthily or even when the malware is removed or the process is killed

The exfiltrated data

I am a hacker and ex-web developer . I sometime work as a freelance dev/hacker . Sometime I hunt bugs