Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PowerShell-RAT - (ISC)2 Melbourne Chapter - 16th Sep '19 Meeting (Information Security)

5328ae49ced980b969858f39e403bbdd?s=47 ViralManiar
September 16, 2019

PowerShell-RAT - (ISC)2 Melbourne Chapter - 16th Sep '19 Meeting (Information Security)

PowerShell-RAT is a stealthy Python and PowerShell-based backdoor that uses Gmail to exfiltrate data. It is astoundingly quick and easy to create a custom attack to exfiltrate data over Gmail. Establishing a backdoor is one of the main goals for an attacker in order to gain persistence over the targeted machines.

Currently the PowerShell-RAT tracks user keystroke activity, hijacks clipboard history, performs screen captures, and sends the information - exfiltrates the data - to the attacker as e-mail attachments. Furthermore, PowerShell-RAT allows an attacker to remotely control the victim’s machine by sending and executing system commands over email allowing two-way communication between an attacker and the compromised host via Gmail.

Frustratingly for organisations that believe they can rely on enterprise grade AV and fully patched Windows environments, the PowerShell-RAT code is currently undetectable. Why? The code is written from scratch and is not seen by AV vendors. Furthermore, using Google as an independent command and control channel is likely to be more successful than using newly created domains or domains with no reputation. Attackers can use this technique to avoid network detection by NextGen firewalls, exposing your organisation’s data assets.

During presentation, the speaker would walk through a number of defence mechanisms to detect stealthy backdoors using publicly available SysInternals Tools such as Autorun, Sysmon, Process Explorer and Process Monitor from Microsoft and some recommendations to protect organisation against such attacks.



September 16, 2019

More Decks by ViralManiar

Other Decks in Technology


  1. PowerShell-RAT Viral Maniar

  2. Disclaimer • Performing any hack attempts or tests without written

    permission from the owner of the systems is illegal. • This project must not be used for illegal purposes or for hacking into system where you do not have permission, it is strictly for educational purposes and for people to experiment with.
  3. # whoami • Over 7 years of experience in the

    field of Information Security • Passionate about offensive and defensive security • Working as a Principal Security Consultant at Threat Intelligence Pty Ltd • In my free time I develop security tools • Outside from Infosec land – like photography https://github.com/Viralmaniar https://twitter.com/maniarviral https://www.linkedin.com/in/viralmaniar/ https://viralmaniar.github.io/
  4. Recent news and statistics


  6. What is RAT?

  7. Remote Access Trojan (RAT) • RAT is define as programs

    that provides the capability to allow covert surveillance or the ability to gain unauthorised access to a victim machine • Most RATs are designed to operate with a command and control server (C2 server or c&c server) • Attacker can send commands and receive data collected from the infected machines
  8. Attack Vectors • RATs can be hidden in an exe

    files and placed on a USB as a file named resume or HR_Remuneration_2019 • RATs can be hidden in behind a fake web page button • It can be hidden in a picture, an icon or inside a video attachment • The most popular method hacker uses is to hide a binary inside a popular movie, song or a game and post it on a torrent for free download • USB Rubber Ducky

  10. Browser Warnings

  11. Anti-Virus Tools

  12. PowerShell-RAT • Open source tool written in Python and PowerShell

    • Assist Red Teamers and Penetration Testers to exfiltrate sensitive information via Gmail as command and control server during internal penetration test or through phishing campaigns • This piece of code is Fully UnDetectable (FUD) by Anti-Virus (AV) softwares (for now) • Currently supports following functions: • Reverse Shell over Gmail • Screenshots • Keyboard strokes • Clipboard Hijack
  13. PowerShell-RAT Overview Infected Machine RAT modules Attacker Controlled Gmail Account

    Runs modules frequently
  14. Setup • Throwaway Gmail addresses • Enable "Allow less secure

    apps" by going to https://myaccount.google.com/lesssecureapps • Modify the $username & $password variables for your account in the Mail-*.ps1 PowerShell files • Modify $msg.From & $msg.To.Add with throwaway Gmail addresses
  15. Screenshots Module • Takes screenshots of the user screen every

    1 minute using Graphics.CopyFromScreen Method • Sends an email to the attacker as an attachment • Deletes the screenshots to avoid suspicious
  16. Clipboard Module • Keeps track of user clipboard along with

    timestamps every minute. • User can modify these as per their need to sniff every few seconds • Sends an email to the attacker with clipboard data as a clip.txt file attachment
  17. Keystrokes Module • Starts keyboard strokes logging after user Authentication

    • Uses SetWindowsHookEx with WH_KEYBOARD_LL • Sends an email to the attacker with keystrokes data as a elog.txt file attachment
  18. Reverse Shell Module • Uses Gmail API’s to read emails

    every 15 seconds and parses the commands from the attacker • Shell output gets sent to the attacker email • Examples of commands for reverse shell: • ISC2DEM019:whoami • ISC2DEM019:tasklist • ISC2DEM019:ipconfig • ISC2DEM019:KILL
  19. Enough talking!

  20. Detection Mechanism • SSL Stripping on your network. Some companies

    have policies to not perform SSL stripping on well known sites to maintain users privacy. Furthermore, attacker can encrypt traffic for exfiltration. • PowerShell Logging. However, attacker can clear these locations to avoid logging of the scripts. • Look for regularly timed DNS traffic through frequency analysis. However, this can be defeated using randomisation in connection timing. • Sysinternal tools such as autorun, sysmon, process explorer and process monitor to review system configurations. Requires time and resources.
  21. Recommendations • Disable PowerShell for the domain users if not

    required • Application whitelist via software restriction policies • Invest in a decent EDR solutions and run this on every hosts and servers in your network
  22. References • https://docs.microsoft.com/en- us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8 • https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get- clipboard?view=powershell-5.1 • https://developers.google.com/docs/api/quickstart/python •

    https://github.com/googleapis/google-api-python-client • https://www.pdq.com/blog/powershell-send-mailmessage-gmail/ • https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowshookexa • https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks • https://www.itwire.com/security/australia-hit-by-9-2-million-malware-attacks-in-just-six- months.html • https://www.cyber.gov.au/aisi/statistics/malware-statistics • Sandeep Ghai from Threat Intelligence for his help on Reverse Shell Module