var unreadAlerts = '1';
You have one unread private message from dkota titled Welcome to the Forum!

Funshine's The Tale of a RAT Ch.1
#1
Chapter 1:Intro

At our level of cybercriminal, we want to compromise people and company computers with some sort of malware for our own financial or personal gains. Yes? The most common tool people are infected with is a Remote Access Trojan (RAT). Once the individual/computer is infected with a RAT then we have control over it to obtain passwords, account information, steal cookies, deploy keyloggers, or upload more malware to their devices.

A RAT is a common tool used by hackers, cybercriminals, and nation state actors since the dawn of time to compromise and control people's computers across the globe from all walks of life. Once a computer is compromised you can then decide what to do with that specific computer which can include use it, pillage it, sell it to other cybercriminals, obtain logs and sell those, and on and on. There are many different RATs available out there to select from which makes it difficult for some people when they're first starting out. With so many RATs available these days determining which RAT to use or purchase for your cybercriminal operations can get confusing.

First, you need to understand that you will fall into one of the (2) levels of cybercriminals which is based on your knowledge right now at this moment as you're reading this. And those (2) levels are can you code malware or do you have the money to buy the malware you need?

Obviously, if you're capable of coding your own RAT then you'll be adding features to it that you've deemed important for your malware project and cybercriminal operations. If you already know how to code but you're not sure where to get useable malicious code from it's best to head over to GitHub and VX-Underground as there are many code examples of other RATs and other pieces of malware that you can learn from which will give you some insight into their functionality and how that RAT achieved XYZ features.



GitHub can be a wealth of knowledge with many examples of other people's code to utilize, copy, modify, and enhance in order to create your own Frankenstein RAT. Which is basically what I did when I was operating in the wild some moons ago. When, and if, you reach that level of malware creator master then you can just use the search function on GitHub looking for "RAT", "password grabber", etc. and you'll down that rabbit hole in no time. Outside of GitHub you can find the source code of malware that has been leaked online to learn from all over the place these days.

CobaltStrike and Conti leaks anyone?!

If you're at a more advanced level of coding then head over to
:
https://www.vx-underground.org

VX-Underground has most of the recent malware source code leaks so you can learn from it and copy their techniques. This is another excellent resource to have and use when you're able to.

For those of you who have yet to invest the time needed to learn any kind of programming language this is totally acceptable these days. There are so many RATs and other pieces of malware available to purchase that will be just as effective, if not better, than what you'll be able to code on your own. I mean let's face it... by the time you learn Python, C/C++, or ASM in order to create your own RAT the cyber security defenses you'll be up against will have advanced past your coding ability. Well, this is true for most of us in 2023 so you're not alone on that one.

That all being said I do recommend that everyone, eventually, learns some of the basics of any programming language such as Python, C/C++, or ASM so you can slowly start to understand how to create your own RAT when you have some free time in the future. Now, I know there are some excellent pieces of malware available for purchase but the reality is that it's better to rely on yourself to create something wicked and not be at the mercy of some malware developer who has to constantly keep their malware up to date and functioning for you to be successful. There's nothing more frustrating than purchasing the latest banking trojan only to have the malware developer vanish, retire, or end up in jail after a few months of them releasing their product.

Unfortunately, once a malware developer makes their millions they usually disappear into the darkness and let's face it this is true for almost every "product" or "service" available in the cybercriminal underworld.

There are many reasons why you may want to infect peoples computers with a RAT but the overall goal is to have and maintain access to the target(s) computer so you're able to download their files, monitor their actions/movements, and more importantly upload other pieces of malware to their computer. Most of the RATs come with features such as keylogging capabilities, credential harvesting, password grabbers, screen monitoring, etc. but it's important for you to have a plan with what you're trying to accomplish when using a RAT. We're cybercriminals first and foremost. We're not fucking weirdos infecting people with RATs so you can watch their screens all day or creep the fuck out of them watching them through their webcam. No!




We're not any of those fucking weirdos at all. Fuck that!

If the individual(s) you've infected with a RAT is worthless to you then move the fuck on and leave some ransomware behind on their machine for good measure. Don't spend too much time sifting through file after file on their computer looking for some fucking golden goose that you'll never find. If you're spending hours going through all of someone's shit on their computer you'll soon realize it's probably better to get a job at McDonalds because you'll be making more money by doing so.

Always consider your time on task when operating as a cybercriminal and keep profits in the back of your mind when spending a lot of time on one operation. Don't waste your time because time is something you cannot get back.

Now that all being said I'm sure many of you reading this probably have a target already selected in your mind who you want to infect with a RAT or some sort of plan involving infecting people with the ransomware you're about to purchase. Maybe it's someone you want to keep close tabs on or maybe it's someone you know who is HODLing some crypto currencies that you wouldn't mind borrowing a coin or two from. The point is that you want to target specific people or organizations and not randomly sending your RAT to as many people as possible through email. This is no good since most modern-day Operating Systems (OS) have built in Anti-Virus (AV) that will submit unknown files back to their servers for more analysis which of course will get your RAT flagged as malicious quicker than you think, eventually. This is the cat and mouse game we all play and love which is true for all malwares currently being circulated around the Interwebs and below.

Everything one day will be detected. Remember that.

Truthfully, most malware developers I've dealt with only want to sell their products to vetted individuals or to people that already know what the fuck they're doing so they don't have some random person sending their malware to AV vendors and malware researchers alike for free by spamming the fuck out of an email list they bought from the Alphabay Marketplace. Right? You should've learned by now to target specific individuals of interest and focus on that and that alone. No randomness! Did you not read ACT VI - Ride the Snake?! FUCK!

RATs are your friend in the cybercriminal world and can be used as a foothold to launch more sophisticated crimes such a Business Email Compromises (BEC), cryptocurrency theft, account take overs, deploying ransomware, and many other awesome reasons.

In fact, most cybercriminal organizations will use some sort of RAT as their initial foothold into a person or an organization before deploying ransomware or other devious pieces of malware to their victims faces. Before we dive into this course let's take a quick look at what other hackers are doing so you can see what is WAT and learn how others are being compromised around the globe. Your goal is to copycat these techniques and deploy them for your own needs and desires once you have the right malware in your possession. If you think people are just sending an executable (.exe file) to someone over the Internets to infect them with malware you've lost your god damn mind. This isn't 1999 which is why it's an excellent idea to see how other professionals are compromising their targets and the techniques they're using to accomplish the task at hand.

For some people reading through everything in this course you might get overwhelmed by the amount of information being delivered to you at once. If you're feeling overwhelmed or feeling like you're in over your head just pay attention to how hackers infected their targets with malware, what files were sent to their targets, how they social engineered their targets, and what other professional hackers do once they've gained access to their targets computer.



Readings #1
DARKSIDE ransomware operators would obtain an initial foothold into an organization by sending malicious emails with links for their victims to click on



Readings #2

"In April 2018, FireEye identified a campaign that used compromised websites to deliver heavily obfuscated Trojan droppers masquerading as Chrome, Internet Explorer, Opera, and/or Firefox browser updates. The compromised websites contained code injected directly into the HTML or in JavaScript components rendered by the pages which had been injected. These sites were accessed by victim users either via HTTP redirects or watering-hole techniques utilized by the attackers."

Basically, what this group was doing was hacking a popular ish website and re-coding their HTML source code so that whoever visited the website would be re-directed based on their browser type to a different website and prompted to install malware. Once on the deceptive website the victims would be prompted as seen in the screenshot below. Maybe some of you will recognize this type of technique as you have may came across it out there in the wild.



After clicking the update button, victims would download the following three types of files:

[*]Heavily-obfuscated HTML applications (.hta file extensions)
[*]JavaScript files (.js file extensions)
[*]ZIP-compressed files (.zip extensions)


"In this newer campaign, the threat actors leveraged victim systems to deploy malware such as Dridex or NetSupport, and multiple post-exploitation frameworks. The threat actors ultimate goal in some cases was to ransom systems in mass with BitPaymer or DoppelPaymer ransomware".

In the screenshot below you can see that those mother fuckers used Command-and-Control (C&C) frameworks called Kodiac, Empire, and PoshC2. These are all publicly available tools you can download and use for free! WOWWWWWWWWWWWW what a time to be alive! We'll be going into detail about those frameworks later on but for now just continue reading along.



"FireEye identified the threat actors leveraged their Dridex backdoor(s) to execute the publicly-available PowerShell Empire and/or Koadic post-exploitation frameworks. Managed Defense also identified the FakeUpdates to Dridex infection chain resulting in the download and execution of PoshC2, another publicly available tool. These additional tools were often executed between 30 minutes and 2 hours after initial Dridex download. The pace of the initial phases of related attacks possibly suggests that automated post-compromise techniques are used in part before interactive operator activity occurs".





Readings #3
Read through the 2021 threat report from SOPHOS thoroughly to get up to date on some items and get into that mindset.


Readings #4
"In the next evolution of the campaign, MSTIC observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in the ISO file being mounted much like an external or network drive. From here, a shortcut file (LNK) would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the system".



Some professional fucking maniacs out there are emailing specific people/targets and attaching a HTML file with some JavaScript written in it which will cause havoc on the target computer once opened. HTML Smuggling. Have you heard of HTML Smuggiling? Interesting yes?

Readings #5 - HTML Smuggling






Readings #6 - .LNK files
Using .lnk files you can create shortcuts that will help to execute malware on a target computer.


These are just some of the techniques we're going to review and develop so you can use them in your own operations moving forward.

Remember, most malware delivery mechanisms seem fairly straight forward to pull off, but it truly comes down to Social Engineering and delivering your emails, texts, etc. as professional and targeted as possible to entice your target to do XYZ on your behalf. This is of much importance. Social Engineering is very important, you will only get better at SE by practicing it against others. Practice makes perfect! Actors get better at acting by ACTING! Social Engineering is the #1 skill all of you should have before becoming an expert programmer or hacker master.

Before making the decision of purchasing or using a RAT you should think about your goals to ensure you've thought everything out properly before blindly launching a low quality malware campaign against your target(s)s and coming up empty handed.

I think everyone should have a basic understanding of what a RAT is and how most malware is used today so now it's time to learn what an Anti-Virus (AV) is all about.
Report
#2
Thank you Please also consider uploading acts as well.
"It takes just one mistake before they get you, so no mistakes, stay focused"
Reply Quote // Report
#3
Great read
I just read some today on RATs and one called redline stealer.
A rat is just what i would like to purchase, but i have a couple questions.
My social engineering skills are zero. And i am one of the people who cannot code but can afford one...
But a guy has the hots for my friend and will click on any link he sends him, etc, and the work computer is online....

Damn, I have learned a lot just from reading some of the darkside info...Thank you
Reply Quote // Report
#4
Great post! A lot of info
Do you want to continue? [Y/n]
Reply Quote // Report
#5
Got me into this thread because of the word "Funshine"
Reply Quote // Report


Quick Reply
Message
Type your reply to this message here.



Possibly Related Threads…
Thread Author Replies Views Last Post
  Funshine's Tail of a RAT Ch. 6-7 Malware Delivery Omien 0 188 05-01-2023, 11:08 AM
Last Post: Omien
  Funshine's Tale of a RAT Ch.5 Evasion Omien 0 164 05-01-2023, 10:51 AM
Last Post: Omien
  Funshine's Tail of a RAT Ch.4 RATS Omien 0 167 05-01-2023, 10:42 AM
Last Post: Omien
  Funshine's Tail of a RAT Ch.3 C&C Omien 0 192 05-01-2023, 10:28 AM
Last Post: Omien
  Funshine's Tail of a RAT Ch.2 Omien 0 213 05-01-2023, 10:07 AM
Last Post: Omien



Users browsing this thread: purely_cabbage
var thread_deleted = "0"; if(thread_deleted == "1") { $("#quick_reply_form, .new_reply_button, .thread_tools, .inline_rating").hide(); $("#moderator_options_selector option.option_mirage").attr("disabled","disabled"); }