Author: Thomas Gomer, Security Consultant at Rootshell.

Device implants are tools used within penetration testing that can be used to stealthily record, input and exfiltrate information. The most common implant that is talked about in media is the USB Rubber Ducky which has been featured in a variety of media from Technology YouTube Channel LinusTechTip’s to mainstream Television like Mr. Robot.

Recently a client came to us for advice when it came to deploying a hardware based Keylogger into their business. The client was initially interested in deploying the Hak5 Keycroc however Rootshell took this as a chance to investigate and look into another Keylogger that has recently emerged into the market the O.MG cable.

Keycroc

The Hak5 Keycroc was released in May of 2020 and has joined an arsenal of tools that have been developed and maintained by Hak5. It utilises the DuckyScript in order to develop powerful extensible payloads.

The Keycroc uses a full Linux kernel under the hood this allows for it to utilise many common tools such as NMAP and Metasploit. As well as being a keylogger it can act as ethernet device, HID keyboard, and a storage device. It can also connect to a c2 server that is maintained by Hak5.

Keycroc in Practice

Overall, the Keycroc is a functional device that once started and passing keystrokes it successfully logged the information and once set back to arming mode saved the keystrokes and then could be read through the USB device presented by the implant.

There are two problems that were encountered during the testing of the device these being that it seemed to lack the ability to save the keystrokes if the device would be turned off without entering arming mode and that it seemed slow to boot up and begin logging keystrokes.

The first issue could be solved by implementing the c2 server in order to log the keystrokes periodically. However, the second issue is an issue present within the device. Considering this device is supposed to be a long-term implant, the slow bootup time shouldn’t be an issue once the device is deployed and booted.

O.MG Cable

The O.MG cable was developed with a similar idea to project Cottonmouth which was created by the NSA. Like the Keycroc it also uses DuckyScript as it’s method of defining payloads, however the O.MG cable has added certain features which are not available within the Keycroc.

Like the Keycroc the O.MG cable can act as a HID Keyboard, keylogger but it cannot act as an ethernet device. The O.MG cable can also connect to a c2 server however it is still in beta and is under development.

O.MG in Practice

The O.MG cable is a powerful tool for use as a Keylogger, the functionality can be turned on at boot as well as it’s easy configuration to connect to Wi-Fi networks. During use the O.MG cable turns on and immediately begins logging keystrokes.

The most significant benefit for the O.MG cable is that it takes a very short period of time in order for the device to become operational.

The O.MG cable will not save the keystrokes between reboots this makes it ideal to connect to in order to exfiltrate the keystrokes. However, by utilising the c2 it does prevent this downside as the keystrokes can be accessed and saved remotely.

Conclusions

Overall, both devices have benefits and downsides. Overall, the O.MG cable shares much of the functionality of the Keycroc but is missing the aspects that would allow the Keycroc to look for key phrases and then either store the keystrokes after or enter something malicious after.

The O.MG cable is a small device which is easy to implant and hide, it has many useful features like a C2 and ways to completely kill the device until it is reflashed. These useful features and considerations make the O.MG cable a useful tool for implanting within businesses.

Due to the potential the O.MG cable has Rootshell Security will continue to look into and work on ways to automate the deployment of O.MG cable C2 servers as well as methods to improve the workflow.

Future Developments

Rootshell will be making a set of blogs to go over the use of the C2 servers for both the Keycroc and the O.MG cable as well as creating some custom tooling that will aid in the O.MG cables day to day use.

The next planned blog posts will be the following:

O.MG C2 Dockerised
O.MG Payload development
O.MG Keylogging Parsing

Subscribe So You Never Miss an Update

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Keyloggers: Part 1