Father
Professional
- Messages
- 2,602
- Reaction score
- 831
- Points
- 113
Remote access Trojans are most often used to manage compromised systems. There are many similar tools, and in this article I will show in action six popular "warriors" that are used by intruders.
WARNING
Unauthorized access to computer information is a crime. Neither the author nor the editorial board of the magazine are responsible for your actions. All tests were performed on virtual machines isolated from real data.
Here is a list of warriors that we will try today:
We will evaluate them according to the following criteria:
Interesting features
Description
The speed of operation is high: it takes about five seconds to complete the entire load. When working, it takes up 7.3 MB of memory and practically does not load the processor.
Trying to load the build in DiE. You can see Borland Delphi and UPX, which is exactly what some antivirus programs swear at.
Verdict
Cerberus is well suited for long-term stays in the system. It is easier to slip it to the victim because of the ability to change the file extension.
Of the minuses - it could not recognize Windows 10 when working, well, it burns decently with antivirus software, so you will have to encrypt it. The compiler is a little outdated, and when it starts, it suddenly emits a sound that does not contribute to an invisible infection at all.
CYBERGATE
Interesting features
Description
Launching and fixing the build takes about 25 seconds - slow, even compared to the same Cerebrus. The load on the system is slightly higher than that of competitors; in addition, it creates several processes at startup and is visible in the task manager. Consumes 0.1% of the CPU and 4.2 MB of memory. Loads the disk at 100 KB/s.
With protection, everything is strange: the build does not even try to hide a very large number of imported libraries and functions from them. There is no obfuscation of WinAPI calls, which is quite surprising.
After all, the detection rate of 64/70 (91.4%) is not surprising at all, but when testing this rat on VirusTotal, only one of the 70 antivirus programs (eGambit) was able to establish the exact origin of the virus.
Verdict
Yes, the build is firingwith everything you can do, but simple as a stick and easy to use. But it is also easy to knock him out, he will not particularly resist.
DARKCOMET
Interesting features
Description
Building a build takes more than a minute, which is much more than usual for such software. After starting the build, 2.7 MB of RAM is consumed, which is quite good against the background of near-zero consumption of other resources.
The build is again not covered by any protectors or packers. It is immediately noticeable in imports user32.dll, from which modules are imported mouseand keybd, and, of course, functions VkKeyScanAthat allow you to make a keylogger.
Verdict
Not a single antivirus program realized that it was looking at a "Comet". However, the build stuffing is all sticking out, so you shouldn't distribute such programs much, although the customization here is complete. And the build build time is not happy.
ORCUS RAT
Interesting features
Description
The speed of operation is high: it is assembled in ten seconds. It consumes 15.6 MB of RAM and does not load the victim's computer in any way.
The code is well encrypted, but it still sticks out.NET Framework 2.0.
Checking for VirusTotal
Verdict
The thing is generally very good, except that it requires encryption, as, indeed, all the other experimental subjects today. From the pros-it has a bunch of add-ons for more successful work. It can broadcast images from a webcam.
Many antivirus programs, such as AhnLab-V3, detect Orcus Rat, but there is no real protection against this. It also requires lengthy configuration, and without plugins, the functionality is noticeably limited.
NJRAT
Interesting features
Description
Building a build takes exactly ten seconds. The load on the victim system is very heavy: the processor is occupied by 18%, which strongly gives out the virus.
Created this good on .NET Framework. Many modern viruses work on it, so this is not surprising.
You can't take anything from the import section - however, that's why it's .NET.
Checking with antivirus scanners showed a better result than in previous samples, but this is still not suitable for large-scale combat use (besides, we agreed not to do this, remember?).
Verdict
Troy is quite interesting: it is well developed, it is poorly detected by antivirus programs, there are sources on the network, and there are many functions. The connection to the C&C server is encrypted - another plus for this "rat".
njRAT also has some problems: in particular, the relatively high load on the victim's system and the same open sources that are indicated as an advantage.
INFO
We recommend that you read it before entering "download njrat" in the search engine.
VENOM
Interesting features
Description
All preparation and assembly takes about 20 seconds. The build takes up 9 MB of RAM from the victim and practically does not load the system.
It is written again on .NET, and again no packagesschikov - however, as usual, but the code is not immediately visible.
The detector is still slightly smaller than njRAT, but for large-scale use, you will need a crypt again.
Verdict
In general, this troi is the most successful of those considered today, and it can be used for long-term operation. The load can be easily modified to suit your needs. It is also the most secretive among all competitors, and no antivirus can say anything specific about it. There is only one significant drawback - Venom is fully paid, but this does not stop everyone.
RESULTS
Of course, we have not considered even a tenth of the common warriors - there are simply too many of them! There are, for example, modified TeamViewer and AnyDesk clients that are used for the same purposes. However, if you know a noteworthy RAT that we missed, tell us about it in the comments!
WARNING
Unauthorized access to computer information is a crime. Neither the author nor the editorial board of the magazine are responsible for your actions. All tests were performed on virtual machines isolated from real data.
Here is a list of warriors that we will try today:
- Cerberus 1.03.5;
- CyberGate 1.07.5;
- DarkComet 5.3;
- Orcus Rat 1.9.1;
- NjRat Danger Edition 0.7D;
- Venom 2.1.
We will evaluate them according to the following criteria:
- set of suggested functions;
- speed of deployment in the target system;
- load on the victim's computer;
- build code protection level (let's try to reverse the build);
- checking for VirusTotal;
- pros and cons in general.
CERBERUS
Interesting features
- Changing the language
- Supports various output formats (.pif,. com, .src, .bat, .cmd)
- It is possible to add sounds at startup (both available by default and your own).)
Description
The speed of operation is high: it takes about five seconds to complete the entire load. When working, it takes up 7.3 MB of memory and practically does not load the processor.
Trying to load the build in DiE. You can see Borland Delphi and UPX, which is exactly what some antivirus programs swear at.
Verdict
Cerberus is well suited for long-term stays in the system. It is easier to slip it to the victim because of the ability to change the file extension.
Of the minuses - it could not recognize Windows 10 when working, well, it burns decently with antivirus software, so you will have to encrypt it. The compiler is a little outdated, and when it starts, it suddenly emits a sound that does not contribute to an invisible infection at all.
CYBERGATE
Interesting features
- Collecting information about an active session
- Allows you to search for data on devices
- There is an extended amount of received data in the panel
Description
Launching and fixing the build takes about 25 seconds - slow, even compared to the same Cerebrus. The load on the system is slightly higher than that of competitors; in addition, it creates several processes at startup and is visible in the task manager. Consumes 0.1% of the CPU and 4.2 MB of memory. Loads the disk at 100 KB/s.
With protection, everything is strange: the build does not even try to hide a very large number of imported libraries and functions from them. There is no obfuscation of WinAPI calls, which is quite surprising.
After all, the detection rate of 64/70 (91.4%) is not surprising at all, but when testing this rat on VirusTotal, only one of the 70 antivirus programs (eGambit) was able to establish the exact origin of the virus.
Verdict
Yes, the build is firingwith everything you can do, but simple as a stick and easy to use. But it is also easy to knock him out, he will not particularly resist.
DARKCOMET
Interesting features
- There are two virus build modes (minimal and advanced)
- There is a function for connecting sockets (we can forward connections to improve security)
- You can schedule actions
- Allows you to create a download link for the virus
Description
Building a build takes more than a minute, which is much more than usual for such software. After starting the build, 2.7 MB of RAM is consumed, which is quite good against the background of near-zero consumption of other resources.
The build is again not covered by any protectors or packers. It is immediately noticeable in imports user32.dll, from which modules are imported mouseand keybd, and, of course, functions VkKeyScanAthat allow you to make a keylogger.
Verdict
Not a single antivirus program realized that it was looking at a "Comet". However, the build stuffing is all sticking out, so you shouldn't distribute such programs much, although the customization here is complete. And the build build time is not happy.
ORCUS RAT
Interesting features
- It can create third-party processes to distract attention
- It is able to create a respawner when the load is removed from the system or its operation is disrupted
- Supports plugins
Description
The speed of operation is high: it is assembled in ten seconds. It consumes 15.6 MB of RAM and does not load the victim's computer in any way.
The code is well encrypted, but it still sticks out.NET Framework 2.0.
Checking for VirusTotal
Verdict
The thing is generally very good, except that it requires encryption, as, indeed, all the other experimental subjects today. From the pros-it has a bunch of add-ons for more successful work. It can broadcast images from a webcam.
Many antivirus programs, such as AhnLab-V3, detect Orcus Rat, but there is no real protection against this. It also requires lengthy configuration, and without plugins, the functionality is noticeably limited.
NJRAT
Interesting features
- Shutdown when a specific process is activated
- Streaming the victim's screen
- Reverse connection host and port protection
- Ban on deleting the program
- Disabling the Task Manager
Description
Building a build takes exactly ten seconds. The load on the victim system is very heavy: the processor is occupied by 18%, which strongly gives out the virus.
Created this good on .NET Framework. Many modern viruses work on it, so this is not surprising.
You can't take anything from the import section - however, that's why it's .NET.
Checking with antivirus scanners showed a better result than in previous samples, but this is still not suitable for large-scale combat use (besides, we agreed not to do this, remember?).
Verdict
Troy is quite interesting: it is well developed, it is poorly detected by antivirus programs, there are sources on the network, and there are many functions. The connection to the C&C server is encrypted - another plus for this "rat".
njRAT also has some problems: in particular, the relatively high load on the victim's system and the same open sources that are indicated as an advantage.
INFO
We recommend that you read it before entering "download njrat" in the search engine.
VENOM
Interesting features
- Ability to upload a build to AnonFile
- Ability to add an official-looking installer (an installation window with a fake license will be displayed)
- Ability to modify the Trojan itself
- Creating a rootkit
- You can set a nickname for the device that will infect the virus (displayed in the admin panel)
Description
All preparation and assembly takes about 20 seconds. The build takes up 9 MB of RAM from the victim and practically does not load the system.
It is written again on .NET, and again no packagesschikov - however, as usual, but the code is not immediately visible.
The detector is still slightly smaller than njRAT, but for large-scale use, you will need a crypt again.
Verdict
In general, this troi is the most successful of those considered today, and it can be used for long-term operation. The load can be easily modified to suit your needs. It is also the most secretive among all competitors, and no antivirus can say anything specific about it. There is only one significant drawback - Venom is fully paid, but this does not stop everyone.
RESULTS
Of course, we have not considered even a tenth of the common warriors - there are simply too many of them! There are, for example, modified TeamViewer and AnyDesk clients that are used for the same purposes. However, if you know a noteworthy RAT that we missed, tell us about it in the comments!
