Help! My custom RAT is bypassing WD but it does not report.

[GreenApple77]

I need help understanding why the RAT I have coded/crypted is bypassing WD but not reporting to my panel? It is .NET 4.0 framework just like xWorm etc. The main issue is when WD is turned on it does NOT report, when WD is turned off it does report. Guidance would be greatly appreciated! If you need any more info to help diagnose the issue, just ask me

 

[silos]

Try another machine could be because of mutex, cant run twice on a single machine,
Make sure your port listeninig connection is good
Buy traffic to test it out in the wild.

 

[GreenApple77]

Try another machine could be because of mutex, cant run twice on a single machine,
Make sure your port listeninig connection is good
Buy traffic to test it out in the wild.

I reinstall OS on RDP so it's fresh testing environment for each new stub.
Port listening connection is good also.
Where can I buy traffic from to test?

 

[Patr1ck]

1) Разворачиваешь софт на тестовом дедике
2) Проверяешь что с выключенным виндефом все работает корректно
3) Обмазываешь все логированием
4) Включаешь виндеф, снова запускаешь свою чудо штуку
5) Смотришь логи

Если в логах что-то сломалось - чинишь. Если в логах по софту все ок, но инфа не долетает до сервера - значит тебя что-то блочит, проверь настройки которые включает виндеф. Вангую что при включении виндефа поднимается файрволл и блочит тебя.

 

[GreenApple77]

Hi guys, quick update

• Tested on multiple different machines
• Tested other working RAT's/Stealers

Did not work so the environment is not the problem. Problem is WD or AV's blocking the connection,

What i'm going to do;

• Use legit open port such as 80,443 for communication between the controller and the client.
• Add more delay time to the stub.
• Use random obfuscation method per build.

Any other suggestions/methods that you have please send them over. Thanks in advance

 

[motherfudder]

If you are using System.Reflection.Assembly.Load within the RAT, then it is possible that it is indeed getting detected but Windows Defender is not displaying it as threat found. Try running the client in debugger and putting breakpoint on such line and the line after, if this is the case.

 

[GreenApple77]

If you are using System.Reflection.Assembly.Load within the RAT, then it is possible that it is indeed getting detected but Windows Defender is not displaying it as threat found. Try running the client in debugger and putting breakpoint on such line and the line after, if this is the case.

Thank you, will take a look into that now.

funnily enough I think I just recently joined your tele channel