Skip to content
/ Ratom Public

Spring 2019 Introduction to Cybersecurity - A simple cross platform rat (remote access trojan)

4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Renovamen/Ratom

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits

docs

docs

 
 

src

src

 
 

.gitattributes

.gitattributes

 
 

README.md

README.md

 
 

client.py

client.py

 
 

server.py

server.py

 
 

Repository files navigation

Ratom

A RAT which is like an atom. (In fact, it is not :) Based on user696/MrRAT.

 

Environment

Python 2.7

 

Features

Cross platform

  • Cross platform (Windows, Linux, and macOS)
  • Bypass mainstream anti-virus (Bypass all detect engines on Virus Total)
  • AES-GCM encryption + DH key exchange
  • Executing commands on target
  • Upload & download files to and from target
  • wget & unzip
  • Self-destruction on target
  • Obtain information of target's system & top 25 ports of target's host

Windows specific

  • Bypass Windows User Account Control (UAC) (Windows 10; Will be automatically performed when client startup)
  • Persistence (Start-up)
  • Running in secret (I do not know how to hide the console window on Linux and Mac)

 

Details

Bypass UAC

This function exploits a vulnerabilty found during the execution of a trusted binary called fodhelper.exe.

  • fodhelper.exe will look for registry key HKCU:\Software\Classes\ms-settings\shell\open\command\(default) first, by default this key does not exist in Windows 10.
  • Then it will look for HKCU:\Software\Classes\ms-settings\Shell\Open\command\DelegateExecute.
  • If it finds that key, HKCU:\Software\Classes\ms-settings\shell\open\command will get executed.

Since the fodhelper.exe binary has "auto-elevation" settings, the UAC prompt won't show during its execution.

So we just need to:

  • Creat HKCU:\Software\Classes\ms-settings\Shell\Open\command\DelegateExecute
  • Change the value of HKCU:\Software\Classes\ms-settings\shell\open\command\(default) to C:\Windows\System32\cmd.exe

In this way, we can execute any command registered in the above keys without any consent.

Start-up

Add client.exe to registry key HKCU:Software\Microsoft\Windows\CurrentVersion\Run.

Self-destruction

Delete all registry keys creating by Ratom on target (if target's plaform is Windows) and delete executable file itself.

 

Usage

server

Requirements:

# Windows
pip install pycryptodome pyreadline
# Mac & Linux
pip install pycryptodome

Then:

# specify port
python server.py --port 1335
# or use 1335 as default port 
python server.py

help

 

client

Requirements:

# Windows
pip install pycryptodome pywin32
# Mac & Linux
pip install pycryptodome

Modify host and port of your server here:

HOST = 'xxx.xx.x.xxx'
PORT = xxxx

Then:

python client.py

 

Build

pip install pyinstaller
pyinstaller --onefile client.py

Then a dist/ folder with an executable file in it will be generated.

 

Disclaimer

  • For research purposes only.
  • Accessing a computer system or network without authorization or explicit permission is illegal.

About

Spring 2019 Introduction to Cybersecurity - A simple cross platform rat (remote access trojan)

Resources

Readme
Activity

Stars

4 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages