Question about RAT's
#11
As far as botnets are concerned only when you're running a pretty big botnet would using a 'home' set up become problematic as @pthread_t mentioned.

Running secure command and control infrastructure at scale is something that requires you to have access to resources. Preferably including a pool of compromised hosts to work with, an authoritative DNS Server an FQDN and preferably more than one server to host the actual C2.

If you have access to all that you can employ DNS Fast Flux. Depending on the type of DNS Fast Flux you're going for here is a quick simplified run down for those that may be unfamiliar:

In simple terms you use your pool of compromised hosts and rapidly assign the IPs to A and AAAA records and rotate them in quick succession. The hosts, or flux agents, behave like what amounts to reverse proxies. When a client tries to resolve the C2 server, the name server provides the address of a flux agent, so the clients are never in direct contact with the C2 server.


In any case OP was asking about RATs and i don't know about you guys but generally, in my experience, a RAT is used for a specific operation. Maybe even a single target. In which case C2 comms can take place over HTTPS and a web server you compromised in advance, can be modified to send and receive traffic.

Running a hidden service from within a VM and using it for C2, for a single operation won't even register as a blip on the NSA's radar. Unless you're trying to hack the Pentagon, maybe you are @pthread_t i am unfamiliar with your threat model. You could also before-hand take care to crack all the APs in your neighborhood and hop AP's as Tor would hop nodes as added security on top of the rest,

And using sites similar to Pastebin is a perfectly viable way of doing C2, as long as you're just running a RAT. Especially if you take care to encrypt the data going back and forth and use YOU -> SSH OVER TOR -> VPS -> Proxies -> PASTESITE.

In any case you can do a lot and do it while minimizing risk, i would only suggest you pick the C2 setup appropriate for it is that you're trying to achieve.
Reply
#12
(04-21-2021, 10:13 PM)Vector Wrote: In any case OP was asking about RATs and i don't know about you guys but generally, in my experience, a RAT is used for a specific operation. Maybe even a single target. In which case C2 comms can take place over HTTPS and a web server you compromised in advance, can be modified to send and receive traffic.

I just wanted to point out that RATs are also used for multiple targets, and specially since a couple of years. Due to the increase of popularity of cryptos they are getting close to miners or stealers. I am not saying by any means that this is new practice, just that cryptos allow getting easy profit and it is harder to trace back to the author.
While the case you are pointing out is obviously relevant, it is not in my opinion as usual as the average fully fledged RAT marketed with the main point of attraction being mining bots.
Reply
#13
Hi,

I created a rootkit too, and the solution that's I tried, to use a free vpn, getting a new proxy for every request.

My rootkit kind of abuse systems like telegram API, discord or some other communication system, and it will ask for an socks5 proxy, who will be used for the request..

The think is, it's not really fully working: sometimes, having a real working proxy can take 10 to 30 secs, and adding to that botnet rules, it can lead to full minutes to make a simple request, which is not great for anonymity..

If someone knows a better way to do that, I'm open to any suggestion, but, at this stage, I will not advice going that way for anonimity...
Reply
#14
(04-22-2021, 06:38 PM)enmafia2 Wrote:
(04-21-2021, 10:13 PM)Vector Wrote: In any case OP was asking about RATs and i don't know about you guys but generally, in my experience, a RAT is used for a specific operation. Maybe even a single target. In which case C2 comms can take place over HTTPS and a web server you compromised in advance, can be modified to send and receive traffic.

I just wanted to point out that RATs are also used for multiple targets, and specially since a couple of years. Due to the increase of popularity of cryptos they are getting close to miners or stealers. I am not saying by any means that this is new practice, just that cryptos allow getting easy profit and it is harder to trace back to the author.
While the case you are pointing out is obviously relevant, it is not in my opinion as usual as the average fully fledged RAT marketed with the main point of attraction being mining bots.


Sure, but the distinction between a crypto-miner, or paste-jacker designed for stealing crypto currency, or a combination of some sort and a RAT is that as far as i am familiar with the proper nomenclature. A RAT is specifically designed to be capable of fully taking control of a target system. Automation can be involved but generally the operator needs to be able to send commands and receive output back.

A crypto-miner can perform most of it's operations without any input from C2.

That said if you want an army of systems that you can control from a centralized point then the scaling issue as far as C2 is concerned becomes a lot more to deal with, especially if you want to be able to have half of the network perform task A the other half task B. Or be able to individually control victim boxes. In which case things start to look more like a botnet and if you have the resources DNS Fast Flux would generally be the way to go about protecting the C2, and general integrity of the operation. I would also posit that if you want a multi-functional RAT botnet, having a C2 system for each role you want a group of bots to perform might be a good idea.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [QUESTION] Make LaZagne undetectable to get saved passwords in Python zettabyte 7 5,107 05-10-2021, 05:50 PM
Last Post: zettabyte
  [QUESTION] What are the different ways malware becomes persistant for Windows? ueax 8 7,230 02-08-2021, 10:32 PM
Last Post: ueax