Python Malicious Activities Simulation Program Repository [Malware Simulation Project]

This week, we will introduce the malware activities repository project we developed for cyber security Education, Competition, Training, Testing and Research.

Project Design Purpose: This repository provides a collection of Python programs that simulate a wide range of malicious activities and malware behaviors. These simulations cover common attack vectors, including compromised credentials, penetration, phishing, brute force attacks, distributed denial-of-service (DDoS), remote control operations, trojans, man-in-the-middle (MITM) attacks, insider threats, and more. The repository is designed for the following purposes:

• Education: To provide resources for cybersecurity courses of all levels, including materials for lab assignments and demonstrations on malware behavior.
• Competition: To supply tools for use in cybersecurity competitions, such as Capture the Flag (CTF) events and red teaming exercises.
• Training: To support workshops and training sessions focused on cyberattack and defense techniques for company employees, semi-professionals, and other participants.
• Testing: To assist in evaluating and testing the effectiveness of security solutions and malware detection programs.
• Research: To enable research in areas such as detecting unusual network traffic, identifying trojans, assessing risk responses, and analyzing penetration techniques.

Important: The program and script in this repository can only be used for education, training and research, please don't apply it on cyber attack.

# Created:     2023/07/30
# Version:     v_0.1.2
# Copyright:   Copyright (c) 2023 LiuYuancheng
# License:     MIT License        

Introduction

In cybersecurity research, working with actual malware can be risky, as some malicious programs may unintentionally damage systems. To address this challenge, this project aims to create a repository of scripts and programs that simulate various malicious activities without the associated risks. Key attack vectors include compromised credentials, phishing, brute force attacks, denial of service, trojans, man-in-the-middle attacks, and insider threats. The malicious actions span file theft, web shell attacks, phishing email generation, DDoS, backdoor installation, ARP spoofing, malware injection, and more, providing a comprehensive toolset for simulating and studying cyberattacks.

The repository will provide five types of attack modules, offering a safe environment for research, education, and testing:

• Credentials Compromise Module: Simulates attacks that compromise sensitive security information, such as stealing files or scanning user activity. Key functions include : File/data stolen, Cmd history scanning, User password crack and Browser cookie hijacking.
• Phishing and Scam Module: These modules generate phishing emails or scams to mislead users into downloading malicious resources or viewing malicious links. Functions include: Phishing email generation, Scam Telegram message boom , backdoor/spy trojan and Scam popup advertisement generation.
• Scan and Record Module: These modules record user actions and scan the victim's network/target. Functions include: Network scanning, Service probing, Traffic mirroring , Screen recording and Keyboard logging .
• Denial of Service Module: These modules disable or interrupt the targeted victim's service. Functions include: ARP spoofing, Man in the middle attack , DDoS Attack, Hardware freeze/disable and Packet blocking
• System Destruction Module : These modules are used to destroy the target OS. Functions include: File-sys destructing, Malware injection , FDI and FCI, malware protection watchdog and python-lib hijack

Most of the malware simulations are written in Python and C, with some requiring integration with external attack tools. The repository covers a broad range of attack vectors and malicious actions, making it a versatile resource for cybersecurity education, competition, research, and testing.

Malicious Activities Simulation Program

In this section we will introduce the detail of each Malicious Activities Simulation Program. To check the detail code and document, please refer to the link at the end of each simulation program. The simulation program includes:

• Backdoor and Spy Trojan Simulation Program
• DoS Attack Simulation Program
• ARP Spoofing Attack Simulation Program
• Malware Protection Watchdog Program
• Phishing Email Simulation Program
• Modbus FDI/FCI Attack Simulation Program
• Red Team Command and Control (C2) Simulation Program
• Modbus FDI/FCI Attack Simulation Program
• Flask Web Shell Simulation Program
• Python Pickle Bomb Building Program
• Malicious Code Obfuscation Program

Backdoor Trojan Simulation Program

The Backdoor Trojan Simulation is designed to mimic the behavior of a real backdoor trojan to create a vulnerable point / interface on your system, providing a practical demonstration of how such malware operates in a controlled environment. The system work flow diagram is shown below:

This system consists of three main components that work together to simulate a full-fledged backdoor attack scenario:

• Backdoor Trojan Program: This malicious program runs on the victim’s machine, opening a backdoor that allows an attacker to remotely execute commands, steal credential files, perform harmful actions on the host computer, or inject other malware without authorization. The trojan remains hidden until activated by the hacker, making it difficult for security systems to detect it initially.
• P2P Trojan Connector: This is a console-based peer-to-peer remote control tool used by attackers to interact with the backdoor trojan. It enables hackers to execute destructive actions such as renaming files or filling the user's home directory with garbage files. The P2P connector supports multiple hackers controlling the same trojan simultaneously, creating a collaborative attack scenario.
• Trojan Controller Hub: This is a graphical user interface (GUI)-based control center, allowing attackers to manage multiple backdoor trojans on different victim machines. It provides batch control functionality, enabling hackers to launch coordinated attacks, such as wiping out all files in the home directories of every compromised machine. One hacker can control multiple trojans through this centralized hub.

Detailed project document link : https://github.com/LiuYuancheng/Python_Malwares_Repo/tree/main/src/backdoorTrojan

DoS Attack Simulation Program

The Distributed Denial-of-Service (DDoS) Attack Simulation is designed to emulate large-scale DDoS attacks in a controlled environment, showcasing how malicious actors can disrupt network services by overwhelming a target with a flood of traffic. DDoS attacks are one of the most common and straightforward methods used by hackers to incapacitate services such as websites, servers, or entire networks. This simulation aims to replicate such attacks by generating massive numbers of concurrent network requests to a targeted service, current the attack simulation covers 10 type of different protocols: SSH, HTTP(s), NTP, FTP, TCP, UDP, SMB, Modbus-TCP, SMTP and POP3. The system work flow diagram is shown below:

The DDoS attack simulation system consists of three main components:

1. DDoS Attacker Program: This program runs on individual nodes and uses a multithreaded attack pool to initiate hundreds of parallel threads, simulating a high-volume DDoS attack. The user can configure the attack parameters, and the system provides 10 different types of service attack actors. Users can also integrate custom attack scripts into the attacker for more tailored simulations.
2. DDoS Attack Actors Repository: This repository contains a variety of attack actors that generate different types of network requests, such as SSH, HTTPS GET/POST, SMB login, and others. Each attack actor is instantiated in its own thread and added to the attack pool, where it continuously sends requests to the target.
3. DDoS Control Hub: The control hub links multiple DDoS attacker programs together, allowing the user to monitor the attack in real time and manage individual attackers through a web interface. This centralized system gives users control over multiple attacks simultaneously, enabling batch operations and state monitoring.

Detailed project document link : https://github.com/LiuYuancheng/Python_Malwares_Repo/tree/main/src/ddosAttacker

ARP Spoofing Attack Simulation Program

The ARP Spoofing Attack Simulation is designed to emulate network-level attacks by manipulating the Address Resolution Protocol (ARP), which is essential for translating IP addresses to MAC addresses in a local network. This program leverages the popular tool Ettercap to execute ARP spoofing attacks, enabling attackers to intercept, block, or manipulate network traffic. By integrating this ARP spoofing simulation into a larger Command and Control (C2) Emulation system, the program offers a versatile tool for testing network vulnerabilities and defense mechanisms. The system work flow diagram is shown below:

The ARP Spoofing Attacker extends the functionality of the standard C2 malware simulation module by incorporating a custom Ettercap Wrapper. This wrapper enables precise control over network traffic through ARP poisoning, targeting routers, switches, or other devices in specific network subnets. This allows the attacker to either drop specific packets, block entire traffic streams, or perform more advanced attacks like Man-in-the-Middle (MitM).

By simulating ARP spoofing attacks in this controlled environment, the system provides valuable insights into the risks posed by such attacks and allows security teams to test their mitigation strategies against common network-based threats.

Detailed project document link : https://github.com/LiuYuancheng/Python_Malwares_Repo/tree/main/src/ettercapWrapper

Malware Protection Watchdog Program

The Malware Watchdog Program is designed to provide robust protection for malware or attack programs during cyber exercises, particularly for red team operations. One of the common challenges faced by attackers in these exercises is the ability of the blue team to swiftly stop malicious processes or delete files, rendering the attack ineffective. This project aims to counter those defensive measures by creating a watchdog that continuously monitors and ensures the uninterrupted operation of target programs. The system work flow diagram is shown below:

Key features of the Malware Watchdog Program include:

• Continuous Monitoring: The watchdog binds to the target program, vigilantly tracking its execution state in real time. This ensures that the program remains active and functional throughout the attack.
• Dynamic Response Mechanism: If the target program is terminated or its process is killed, the watchdog automatically launches a new instance of the program, ensuring that the attack can resume without manual intervention.
• File Integrity and Recovery: In cases where the target program file is deleted, the watchdog quickly detects the issue and restores the program from a backup, ensuring minimal downtime and continued operation.

This program is particularly useful for Red Teaming in Cyber Exercises, Service Program Protection, and Malware Action Detection Research. By binding the watchdog to a single program or chaining multiple programs together, users can create a self-protecting ecosystem where the programs automatically protect each other from being terminated or deleted.

Detailed project document link : https://github.com/LiuYuancheng/Python_Malwares_Repo/tree/main/src/processWatchDog

Phishing Email Simulation Program

The Phishing Email Simulation Program is designed to mimic real-world phishing attacks by using AI-generated content to craft convincing emails, spam message that lure victims into engaging with malicious links or attachments. The program automates the entire process, from generating realistic email content to embedding hidden malicious links or archives within the message, and then sending it to the victim using a valid email service. This simulation provides a powerful tool for testing email-based attack vectors in cybersecurity exercises or training environments. The system work flow diagram is shown below:

Key Features:

• AI-Powered Content Generation: The program utilizes AI to create realistic, contextually relevant email content designed to trick the recipient into clicking on a malicious link or opening a harmful attachment.
• Malicious Link Embedding: The malicious links or archives are carefully disguised within the email, making them difficult to detect at a glance and increasing the likelihood of victim engagement.
• Use of Valid Email Services: The phishing email is sent using legitimate email services, adding to the authenticity of the attack and bypassing basic email filtering mechanisms.

This simulation is ideal for Cybersecurity Training, Phishing Awareness Campaigns, and Red Team Exercises, allowing organizations to test their defenses and improve awareness of phishing attacks.

Detailed project document link : https://github.com/LiuYuancheng/Python_Malwares_Repo/tree/main/src/phishingEmailSender

Modbus FDI/FCI Attack Simulation Program

The Modbus FDI/FCI Attack Simulation Program is designed to emulate cyberattacks on Operational Technology (OT) systems, specifically targeting devices using the Modbus-TCP protocol such as Programmable Logic Controllers (PLCs). This simulation focuses on two primary types of attacks: False Data Injection (FDI) and False Command Injection (FCI), both of which can disrupt industrial control systems and critical infrastructure. By integrating this program into a larger Command and Control (C2) Emulation system, it enables red teams to test and explore vulnerabilities in OT environments. The system work flow diagram is shown below:

Key Features:

• False Data Injection (FDI): The program injects manipulated or false data into Modbus-TCP communication channels, misleading the control systems into making incorrect decisions. For example, false sensor readings may be sent to cause power grids to adjust electricity levels inaccurately, potentially leading to operational disruptions.
• False Command Injection (FCI): This feature allows attackers to inject unauthorized commands into the OT systems, forcing them to execute harmful actions. This could involve instructing machinery to perform unsafe actions, disrupting production, or damaging equipment.
• Seamless C2 Integration: The program is designed to be incorporated into a comprehensive C2 system, allowing attackers to manage and execute both FDI and FCI attacks in a coordinated manner.
• Targeting Modbus-TCP Devices: The simulation specifically targets Modbus-TCP-based devices, a widely used protocol in OT environments, making it ideal for testing vulnerabilities in industrial systems like PLCs.

By simulating both FDI and FCI attacks, this program provides a powerful tool for testing the resilience of OT systems, making it useful for cybersecurity training, red team exercises, and industrial control system research. The insights gained from these simulations can help identify weaknesses in OT systems and develop stronger security defenses to mitigate real-world threats.

Detailed project document link : https://github.com/LiuYuancheng/Python_Malwares_Repo/tree/main/src/falseCmdInjector

Red Team Command and Control (C2) Simulation Program

The Red Team Command and Control (RTC2) Simulation Program is a comprehensive solution designed to emulate a command and control (C2) server for use in cyber exercises and training scenarios. The RTC2 server acts as the central hub for red team members, enabling them to coordinate and manage compromised machines, issue remote commands, and orchestrate a wide range of simulated malicious activities. This system enhances the realism of cyber exercises by mimicking real-world C2 servers used in botnet operations and remote control attacks, allowing red teams to test and challenge blue team defenses in a controlled environment. The system work flow diagram is shown below:

Key Features:

• Centralized Command Hub: The RTC2 server enables red team members to seamlessly control compromised systems from a single, centralized location. It allows for data collection, remote command execution, and coordination of multiple attack vectors.
• Multi-Threaded Client Integration: Users can easily hook the multi-threading-based client into their malicious action programs, integrating them into the RTC2 system. This allows for the smooth execution and control of complex cyber attack simulations.
• Web Interface and API: The RTC2 system includes a user-friendly web interface and HTTP request handler API, offering remote control capabilities via web browsers or custom programs. This makes managing cyber exercise scenarios more accessible and adaptable.
• Botnet and Remote Control Emulation: The system can simulate botnet operations, enabling users to control compromised machines (botnets) to launch DDoS attacks, steal data, or perform other malicious actions. It also supports remote control, providing the ability to issue commands and manipulate infected machines.
• Defensive and Offensive Use Cases: In addition to red team operations, the RTC2 framework is valuable for defensive teams and training simulations. Security professionals can use the system to practice responding to simulated threats, improving their incident response and defense strategies.

By providing dynamic monitoring, scheduling, and control over malicious action programs, the RTC2 Simulation Program delivers a powerful tool for cyber exercises, red team operations, and training environments, helping organizations improve their cyber defense readiness and resilience against real-world threats.

Detailed project document link : https://github.com/LiuYuancheng/Python_Malwares_Repo/tree/main/src/c2Emulator

Flask Web Shell Simulation Program

The Flask Web Shell Simulation Program is designed to simulate the behavior of a web shell in a controlled environment. A web shell is a malicious script that provides attackers with remote access to a server via a web interface, often enabling unauthorized control of the system. By simulating these actions within a Flask-based web application, this program helps red teams and cybersecurity professionals replicate real-world scenarios, testing and evaluating the security measures in place to defend against such attacks.

Key Features:

• Remote Command Execution: The Flask web shell allows attackers to execute system commands on the compromised server, simulating how a web shell might be used to control a victim's machine. Users can issue shell commands directly from the browser, gaining insight into how unauthorized access can be exploited.
• Session Hijacking and Credential Harvesting: The simulation can include session hijacking or credential harvesting features, demonstrating how attackers might steal login sessions or capture sensitive information to escalate their privileges.
• Customizable Payloads: Users can configure and simulate various payloads delivered through the web shell, such as injecting malicious scripts or altering server configurations. This flexibility supports diverse scenarios for cybersecurity testing.
• Simulated Persistence Mechanisms: The program can emulate persistence techniques commonly employed by web shells, such as installing backdoors, to maintain access even after an initial breach is detected.

This simulation provides a valuable tool for training and testing the defenses against web shell attacks in a safe environment. By replicating real-world tactics, it enhances the preparedness of cybersecurity teams to detect, mitigate, and respond to such threats effectively.

Detailed project document link : https://github.com/LiuYuancheng/Python_Malwares_Repo/tree/main/src/flaskWebShell

Python Pickle Bomb Building Program

The Python Pickle Bomb Building Program is designed to simulate and demonstrate the risks associated with insecure deserialization using Python’s pickle module. In real-world scenarios, pickle bombs are a form of exploit where malicious payloads are serialized and deserialized, allowing attackers to execute arbitrary code on a target system. This program showcases how attackers can craft harmful pickle objects and the devastating consequences they can have if improperly handled. The system work flow diagram is shown below:

Key Features:

• Custom Pickle Payload Generation: The program allows users to create malicious pickle objects embedded with arbitrary code that can be executed upon deserialization, simulating how attackers exploit insecure serialization in Python applications.
• Protection Mechanism Demonstration: Beyond building pickle bombs, the program also illustrates best practices and mitigation strategies, such as restricting the use of pickle or switching to safer serialization libraries. This helps users understand how to prevent such attacks in real-world applications.

This program serves as an educational tool for understanding the dangers of insecure deserialization in Python and equips cybersecurity professionals with the knowledge needed to detect and prevent such attacks. By simulating real-world pickle bomb scenarios, it highlights the importance of secure coding practices in handling serialized data.

Detailed project document link : https://github.com/LiuYuancheng/Python_Malwares_Repo/tree/main/src/pickleBomb

Malicious Code Obfuscation Program

The Malicious Code Obfuscation Program is a comprehensive tool designed to protect sensitive Python source code by transforming it into unreadable, yet executable, obfuscated data. The primary objective of this program is to safeguard intellectual property and prevent unauthorized access to proprietary algorithms or sensitive code segments. By leveraging advanced obfuscation techniques, this tool enhances code security, making reverse engineering and code analysis significantly more difficult. The system work flow diagram is shown below:

Key Features:

• Multi-layer Python Code Obfuscation: The program provides flexible, multi-layer obfuscation options, allowing users to configure the depth and size of the obfuscated code. This feature ensures robust protection while maintaining code functionality.
• Obfuscation Encoder: The encoder encrypts the Python source code into unreadable bytes, preserving its functionality when executed by a Python interpreter. It allows users to obfuscate entire Python programs or specific sections, embedding an execution header to ensure seamless execution.
• Obfuscation Decoder: The decoder reverses the obfuscation process, transforming the obfuscated code back into its original, readable form. This allows for ease of maintenance, debugging, and modification of obfuscated programs.
• Flexible Obfuscation Options: Users can choose to obfuscate the entire source code or only specific portions, allowing for more granular protection. This flexibility ensures that critical sections of the code are protected while maintaining readability for other parts.
• Web-Based Interface and API Integration: The tool features a user-friendly web interface, making it simple to obfuscate and decode Python programs without needing in-depth technical knowledge. It also offers a standardized API, allowing seamless integration into larger projects or workflows.

This obfuscation tool provides a powerful solution for developers looking to protect their Python applications from unauthorized access and code manipulation, offering a balance between security and usability.

Detailed project document link : https://github.com/LiuYuancheng/Python_Malwares_Repo/tree/main/src/pyObfuscator

Thanks for spending time to check the article detail, if you have any question and suggestion or find any program bug, please feel free to message me. Many thanks if you can give some comments and share any of the improvement advice so we can make our work better ~