Like the C2, the infected host (us) preceeds the "updateserverlocal" command with a connection header in the same style as described above. This message needs to be zlib compressed and little endian encoded before being sent.
This message will look like this: newconnection|LoWr63EgauwjTyl40NPxmbX7U15si2BKFkRH9SdphJnGQVDzCMqfA8cZeYt#"a"a"aupdateserverlocal#"a"a"afile.txt In this case, we will be telling the C2 to update our local server with the command "updateserverlocal" followed by the previously transmitted Xtreme RAT delimiter followed by an absolute path to a file we would like the C2 to send to us. At this time the infected host (us) will put together the following message: "newconnection" command followed by a pipe character, the previously transmitted Connection ID, the previously transmitted Xtreme RAT delimiter, and any additional commands necessary. This message is zlib compressed and little endian encoded.Īfter this communication, the infected host then can send a command to the C2. The IE: maininfo?#?" a?" a?"aR539sw21zjXF4Cqotm7EUNMYPhGAHfcDlBLZxQiSadrTVbu8n0pgykJ6WeK This Connection ID is necessary for further successful communication. This message is made up of the string "maininfo" + Xtreme RAT's universal delimiter + a connection ID. The C2 then sends the infected host the "maininfo" message. The connection header includes a communication password + null byte + the size of the following message + null byte. Sometime this message is received as an individual response or appended to the next message (a connection header). This message (or acknowledgement) is sent in unicode. The C2 begins every message it sends to the infected host with the string: X\r\n If the C2 in question is indeed running Xtreme RAT and the communication is successful, the C2 then responds to the infected host. The code uses version 3.6 for every connection. Testing showed that the Xtreme RAT C2 does not confirm or check the version number. To begin communication, the infected host initiates a connection with the C2 by sending the string "myverion" + pipe + the version number to the C2. Communication between the C2 and hosts are encoded and sometimes compressed. Xtreme RAT uses a reverse-connecting architecture: the C2 acts as the client while the infected hosts act as servers. Where 127.0.0.1 is the IP address of the Xtreme RAT C2 Server-Client Communication Note that Xtreme RAT C2 Software runs on Windows OS. Additional files can be added manually within the code. By default, this code attempts to download three files that are common among Xtreme RAT instances: "", "senha.txt", and "Settings.ini". Only successfully downloads files with an absolute path. This is currently written in Python 2.7 and will be updated to 3.0 soon.
Mimics an infected host phoning home to an Xtreme RAT C2 Server and attempts to authenticate itself and download specified files.
0 kommentar(er)
