Author Topic: Python based RAT.  (Read 1342 times)

0 Members and 2 Guests are viewing this topic.

Offline D4RKS3C

  • /dev/null
  • *
  • Posts: 12
  • Cookies: -29
    • View Profile
Python based RAT.
« on: August 22, 2015, 03:12:29 am »
Hi there, i'm Darksec. A while ago, bytebleeder posted the source for a python based RAT to github. The thing itself is pretty sweet and functional as is, however it could seriously use some improvements in order to be realistically deployed in whatever scenario.

Maybe you're asking yourself why anyone would want to make a RAT in python? Well, because it's pretty cool and because it will be fun.

Here's the source code for the implant:

https://github.com/byt3bl33d3r/gcat/blob/master/implant.py

And here's the source code for your controller:

https://github.com/byt3bl33d3r/gcat/blob/master/gcat.py


In any event, i was wondering if there are any python programmers here that would feel like collaborating with me on this. The more the merrier and i am pretty sure 95% of people here are more 1337 than me so having more experience/skills on board is always a plus.


In any case, here are some of my thoughts.


As you can see it uses gmail as a C&C. Bad opsec? We could probably make it more secure.

As you can also see from the source code the client doesn't offer anything in way of persistence. To remedy this i am working on a module that will have the client run as a service in the background of an infected machine(Unless you have a better idea). I'm about 80% through with this module. Also, to make sure we can retrieve every keystroke also after an infected machine has rebooted i am pickling my keylogger data.

Furthermore i was playing with the idea of having deployment take place in two stages. It would involve delivering an executable bound to an evil executable through whatever vector is most appropriate for our puposes. The evil executable would run obfuscated shellcode that will download the main module to a common and not so obvious directory and then execute it. The main module would then install itself as a service and run in the background under a generic name. I have obfuscated shellcode for this purpose ready to go. What i also have is a superior crypter for sanbox evasion and AV bypass.

Basically i have some things setup and ready to go, it would however be awesome to have someone to collaborate with so we can bounce some ideas off eachother, see what works, see what doesn't, cut back on time needed to build this and stuff like that. If nothing else i imagine it will be a good educational and fun experience.

Anyway, let me know what you think.
« Last Edit: August 22, 2015, 03:14:18 am by D4RKS3C »

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Python based RAT.
« Reply #1 on: August 22, 2015, 11:38:46 am »
Welcome to evilzone , the term RAT might be frowned upon here but it sure looks like you put some effort in this code.
Gmail is kinda fishy though , for a real deployment that would not be acceptable.
Perhaps you should take a  look at other protocols, SMTP is kinda lame dont u think , anyone could hijack an account unless you make some kind of rotation system, then again I am sure you can come up with something cleaner.
Take a look at DNSfluxing , might give you some ideas.
« Last Edit: August 22, 2015, 11:43:58 am by proxx »
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline D4RKS3C

  • /dev/null
  • *
  • Posts: 12
  • Cookies: -29
    • View Profile
Re: Python based RAT.
« Reply #2 on: August 23, 2015, 09:29:59 pm »
Welcome to evilzone , the term RAT might be frowned upon here but it sure looks like you put some effort in this code.
Gmail is kinda fishy though , for a real deployment that would not be acceptable.
Perhaps you should take a  look at other protocols, SMTP is kinda lame dont u think , anyone could hijack an account unless you make some kind of rotation system, then again I am sure you can come up with something cleaner.
Take a look at DNSfluxing , might give you some ideas.

Thank you for your reply proxx, sorry if the term RAT is frowned upon i am not yet familiar with evilzone etiquette. I will look into DNSfluxing for sure.