duplex heart monitoring system

the ZeroC2's router and publisher will send heartbeats to the terylene's dealer and subscriber socket every 2 seconds, and the terylene will reply back with its own heartbeat. If there's a downtime for one of the terylene, zeroC2 will notify the botmaster, meanwhile if there's a downtime with the zeroC2, the terylene will attempt to reconnect to it.

connection deduplication

Every time a terylene connects to a ZeroC2 server, it will have a special connection ID that is hashed with its public ip and local ip. ZeroC2 will log the connection ID and monitor it with heartbeat. This will effectively prevent double connection from the same device.By using this technique, the server can prevent multiple connections from the same client device. If the same client attempts to establish a new connection while an existing connection is active (based on the same connection ID), the server can reject the new connection or take appropriate action to handle the situation. This implementation can be more resource sufficient for the server and easier load balancing for the future.

Backoff and Retry

When the ZeroC2 suddenly experience an outrage or connection issue. Terylene will be able detect the server outrage with its duplex heartbeat monitoring. It will then quickly Backoff from the server, aborting the connection, and reconnect to it after 30min and have a timeout connection of 5h. This prevents terylene to be lost due to sudden outrage or DDOS from other C2 servers. Exponential backoff enhances the fault tolerance of the client-server communication. When a server outage or connection issue occurs, the client doesn't immediately flood the server with connection attempts, which could exacerbate the problem. Instead, it backs off, reducing the load on the server and the network.

connection deduplication , Backoff and Retry Demonstration

https://github.com/polymaster3313/Polyaccess/assets/93959737/4315b8ee-97c6-4fa3-9be9-e0b54f3f1cf0

PS: If connection timed out , Terylene will pronounce the C2 as dead, mother priority will be activated

Mother priority

The Mother Priority feature stands out as a crucial component within the ZeroC2 system, playing a pivotal role in fortifying the resilience of the Terylene botnet's command and control (C2) infrastructure. Within the intricate architecture of the Terylene botnet, ZeroC2 distinguishes servers into two principal roles: 'Mother C2' and 'foster C2.' The Mother C2 represents the initial point of connection for Terylene, essentially serving as its "birthplace." Terylene retains a lasting memory of its mother's IP and connection details. In contrast, the foster C2 is the destination to which the mother transfers Terylene, akin to "foster parents."

Mother Priority comes into play when the foster C2 is declared dead by Terylene. In response, Terylene abandons the foster and reconnects with the Mother server. Notably, the timeout connection period is extended to one month before pronouncing the mother as dead. This strategic design ensures redundancy and fault tolerance within the system. In the event of a compromised or unavailable C2 server, Mother Priority allows the botnet to swiftly revert to its primary C2 server, enabling seamless control and coordination.

Secure Asynchronous Reverse Shell in ZeroC2

ZeroC2 prioritizes the utmost security in its architecture and employs state-of-the-art, post-quantum encryption techniques to ensure that the shell data transferred between the central control system and the Terylene botnets remains confidential and tamper-proof. This section details the robust mechanisms that make ZeroC2's network traffic impervious to analysis by network security experts.

Robust Key Exchange Protocol

Initialization of Secure Communication Channels

Upon initialization, ZeroC2 generates a unique ChaCha20-Poly1305 key for each Terylene botnet to be used exclusively for reverse shell communication. Notably, the key is randomized for each session and botnet, reinforcing the integrity of the communication channel.

Encrypted Key Distribution

Direct transmission of the ChaCha20-Poly1305 key is inherently insecure, as interception could compromise the entire communication. To mitigate this risk, ZeroC2 encapsulates the key using AES-256 encryption. The corresponding AES key is securely embedded within the Terylene botnet payload binary. ZeroC2 and the Terylene botnet share this AES key, enabling the secure exchange and decryption of the actual session key.

Asynchronous Reverse Shell Mechanism

Simultaneous Command Execution

The asynchronous nature of ZeroC2's reverse shell allows for concurrent execution of multiple commands during a single shell session. This advanced feature empowers operators to manage tasks more efficiently, without being bottlenecked by sequential command processing.

Real-Time Feedback and Interaction

To achieve a real-time display of the shell activity, ZeroC2 leverages a dedicated router socket that operates within a Goroutine. This router socket is continuously monitoring for incoming shell responses. As soon as a response arrives, it is promptly rendered onto the shell console, allowing for instant feedback and dynamic interaction with the Terylene botnets.

https://github.com/polymaster3313/terylene/assets/93959737/46d1c0b0-00e5-4e7f-9d02-291ad7234ef1