8 comments

[ 4.9 ms ] story [ 35.0 ms ] thread
In the event you want to pwn a person who uses Linux desktop? If so, glad to see this, there are cross platform rats that work on Linux but a Linux specific is rare to me.

Oh and I wouldn't say undetectable,AV may not detect it now but Linux detection can be pretty wild, even with good EDR vendors a lot of tuning is needed due to how customizable it is (admins/devs always do one off unusual things, windows has more predictable structure).

Didn't read the code but I loathe the python usage, if for windows you can use pyinstaller to build an exe. Anywhere else, your rat will break because of python versioning/deps.

The client runs on Windows and is written in C++ (bot directory). It's still terrible, amateur-level code that nobody should be running but the most critical aspect here is the architecture: Fixed, with most things hardcoded and hard to adapt/change. Also, no runtime flexibility whatsoever. This isn't what an advanced attack toolkit looks like, even a minimal one written in C/C++.

Here is my own contribution to this space:

https://downloads.immunityinc.com/infiltrate-archives/python...

If it was fully undetectable it would mean that it would have no effect and does not exist on disk or in memory of any sort. Any malware/RAT is detectable in someway since it has some effect that shouldn't be there. That can be network activity, just the process running, just the code existing on a drive or in memory or anything else.
I like how he writes “do not upload to online scanners”.
Looks like it's just a standard executable that listens on a hardcoded IP and port. This is the kind of stuff we'd whip up in an afternoon during a pentest when we needed a throwaway tool to use.
There is nothing noteworthy or undetectable about this. Disappointed that it’s getting hype on HN.
Just wanted to say, the github page has a note saying: NOTE : Do not upload the BOT to online scanners!

With you posting it here, I can guarantee that at least a few people are going to upload it to online scanners.

Certainly not FUD or "advanced". No encryption/obfuscation used to communicate with C2 at all, common patterns in the c++ binary that drops on clients, no polymorphism, drops itself on the disk. Might be a fun toy project for the author but this wouldn't be useful in any actual security testing deployments.