Vecna9 сказал(а):
Hi there!
I'd like to get back into RATs but it's been a while since I've been into this thing.
What do you recommend as a RAT? (async rat, remcos, private RATs)
Do you have any good techniques for making money with RATs?
Wiz сказал(а):
Hello and welcome.
This question has become very popular nowadays simply because there are tons of tools available. However, I want to emphasize that all tools are merely bridges to achieving a successful operation. Remember, there is no greatest tool, but rather the greatest minds behind their utilization.
Tragedy сказал(а):
If we are talking about public and at the same time good RATs there is probably nothing better than remcos for cheap. Don't waste your time with free malware its often unfinished and unstable.
Vecna9 сказал(а):
Volcan
you recommend she rat private?
HVNC I'll see later, because it's only for MACs.
домкрат сказал(а):
Why expending money on something that will create on your process a bunch of RWX privileges memory, is hard to crypt and is written by who ever know?
домкрат сказал(а):
For HVNC there are many other options where you can load them with execution-assembly if they are a BOF from cobalt strike for example. If not you can add exclusions and drop another rat with HVNC purposes. HVNCs are very noisy, they send hundreds of http get post request so watch out.
домкрат сказал(а):
It is difficult to work on encryption with this basic and unsafe tools
s0nus сказал(а):
You're probably misunderstanding this thread, command and control frameworks are not RATs, they have a completely different usage (especially HVNCs)
Normally RATs are programmed using C# with uses CLR, it is totally fine have RWX memory maps, since it has a JIT engine and JIT engines uses RWX a lot.
From my perspective, is a lot better use a software designed to what you're looking for instead of a software with a lot of abstractions.
OBS: A lot of other C2 are very unstable with CLR loading and executing (especially cobalt strike) they wait for the result of command and make the beacon unstable after sometime because they wait for output but there is no output.
s0nus сказал(а):
This is very relative, for example quasar rat does not use HTTP(s) to send screen buffers, it uses TCP.
s0nus сказал(а):
Again, relative, C# binaries (without dependencies) are very easy to crypt (crypters are useless now days anyways)
OBS: Public source command and control frameworks have a lot of known TTPs (meaning that will be easy to detect), one example is sleep obfuscation from havoc.
Stop spraying misinformation to users
домкрат сказал(а):
Honesly I didnt see any good recomendation I will try one by your good words. I stick for what works well for me, so I just can recommend this toolset, under my point of view, you just need a little code knowledge to develop your own stealer + hvnc functions apart from your initial access.
домкрат сказал(а):
You are right, is good to save time and stick to full operative tools but at the end you need a crypt/packer so you can save this money and invest here which is the really main important deal. To get an initial access.
домкрат сказал(а):
I prefer to blend the traffic but oh well...
домкрат сказал(а):
You are true with that, actually these frameworks have lot of them but with a little bit of care and love are easy to modify them.
s0nus сказал(а):
Depending on the operation, zero stage command and control frameworks could be used before dropping the HVNC or RAT, doing less noise and preserving the access.
Create your own stealer or hvnc is great too, but take a lot of time and effort, and doesn't looks like the people on this thread wanna to.
s0nus сказал(а):
This depends on the tool to be honest, for example, lumma stealer (or lumma c2) could be run without crypters/packers, since they designed their code in a way that it is fud.
Crypters and packers are pretty much useless (at least from my point of view), since the original binary being runned in memory could be easily detected because of malware behavior.
s0nus сказал(а):
Me too, but thinking better, TCP is a lot more reliable and fast compared to sending a lot of HTTP(s) requests (an rat using websocket would be great :0)
s0nus сказал(а):
Would be a lot better use something already "fud", that doesn't have detections (like a private stub or smth like that) from RATs/HVNCs like brute ratel