A remote administration tool, or RAT, is a piece of software used for remotely controlling machines. They are commonly used by tech support to gain remote access for troubleshooting purposes, but RATs are also an important part of a hacker's advanced persistent threat (APT) toolkit. Unlike standard administration RATs, these tools are designed to be delivered stealthily and operate undetected.
RATs allow administrators full control of a machine with the privileges of the user they are executed under. The goal of a RAT is to get as close as possible to physical machine access in a software form.
In the hands of a systems administrator, they are valuable assets. In the hands of a hacker, custom-coded RATs, referred to as remote access trojans when used maliciously, can be disastrous, ranging from difficult to detect to almost invisible.
Custom RAT malware is often used by APT hackers to maintain remote access to compromised machines. Once installed, the RAT will connect to a command and control (C&C) server and await further instructions. This technique is very scalable and can result in large networks of compromised machines, also known as botnets. This essentially gives physical access to huge amounts of compromised hosts at the same time.
These botnets can be used for BTC mining, network recon, data exfiltration, jump boxes, footholds within your network, phishing campaigns, and more. It's like having a hacker present at your machine at all times.
Knowing the behavior of RATs and how they work is critical to understanding what how to detect and defend against them. This has been made easier thanks to Shota Shinogi and his RAT simulator, ShinoBOT.
The offensive side of security gets a lot of press. Complex attack chains and stunt hacking draw a lot of attention. With so much attention, it's easy to forget about the other side; making a system secure. When you're penetration testing, it's easy to pop a shell, write a report, and leave the fix to someone else.
At Null Byte, we focus on a lot of attack tools, so I thought I'd take some time to focus on a preventative and educational tool. Something that you can use on a local host to do some testing and see how your network would fare if someone was already inside. Is your antivirus up to date? Is your network properly guarded? What would happen if someone got a shell on something internally?
That's where ShinoBOT comes in. Traditional RATs can require additional work in configuring a C&C server, and while ShinoBOT's C&C server uses HTTPS to communicate with the infected host, it's already configured and provided as a service, which saves some time on the rollout.
You can install this tool on almost any modern Windows machine, but in this guide, I will be testing it out in my Windows 7 VM. We'll start with installation, showcase some features, and then see how it does against an antivirus program.
Click on "Build," then select "Run" on the following prompt. You will also be prompted about running unsigned code, and you should allow the code to run. You will then be presented with the ShinoBOT control panel.
It looks like ShinoBOT has gathered up some general system information. It also appears to be operating flawlessly. At this stage, I have no antivirus configuration and no firewall configuration. Let's try to run a few commands on the system to see how ShinoBOT works.
In order to use our RAT, we'll need to head over to the "Hosts" tab on the ShinoBOT website.
My host is clearly visible here. If I visit the site from behind the same IP address as the host, it displays as lime colored. This is convenient in networks where internet traffic has only one egress point.
Let's click on it and try logging in.
I entered the password from the ShinoBOT control panel and clicked the "Auth" button. It's time to see what this RAT can do.
There's a lot packed in here. You get some host information up at the top, a screen capture utility, command prompt, and more. The interface is very straightforward. Clicking the "+" sign on the Assign Job menu reveals more features, such as a job history, which can be helpful in keeping track of actions you've taken on a particular machine.
While testing commands, attempting to launch a command shell with the "Privilege Escalation" option did lead to a User Account Control (UAC) popup on my infected machine. But with CMD.exe and the ability to upload and download files at will, this could easily lead to a low privilege shell, Meterpreter session, or even good old fashioned manual privilege escalation. Though that isn't really the goal of this tool.
Now that I've tried out the administration aspect, I think I'll try using it for its intended purpose. Seeing if I can detect an APT using a tool like ShinoBOT.
There are many different ways that this type of tool could be detected before a breach became severe. In this case, I'm going to run the most basic test against it. Is this tool's signature known to antivirus vendors? Even if it is, the tool is still useful for testing purposes. I'm interested to see how it handles something that is a requirement in most enterprise environments.
For this test, I installed the free version of Avast. This will be similar to enterprise solutions, though a little trimmed down.
It says I'm protected, but the RAT is still running. Just in case, I decided to run a scan and see if Avast picked anything up.
Avast detects ShinoBOT and clears the application, but doesn't actually kill the ShinoBOT process. I suspect a more invasive antivirus utility would.
ShinoBOT is an excellent tool for testing your defensive security utilities and appliances. Since you can't hide the GUI on the affected host, it adds some legitimacy to its use as an auditing tool. Personally, I think it would be excellent to deploy in a phishing audit. It also serves to demonstrate to non-technical people just how bad running unknown and unsigned code can be.
Screenshots by Barrow/Null Byte