Vermin - HackMD

# Vermin A RAT management system (botnet) using clusters of C&C servers, an attacker client and bot clients (targets). It will allow you to manage different RAT instances from different computers and coordinate them as a botnet. It will also enable you to easily inject the RAT into a target system and make it a spreading virus through the form of discord links. A variant type of the target will infect IoT devices, similarly to the Mirai Botnet. ## Infrastructure ![](https://hackmd.io/_uploads/HyUhntPYh.png) ### Lifecycle #### Reproduction Module PC Version: 1. Compromised bot client scans for devices with vulnerability 2. Exploits vulnerability and implements temporary backdoor (ssh server) 3. Reports temporary backdoor info to Report Server, which distributes loading to the the load servers 4. One of the load servers logs in with the ssh and loads the latest version of binary. Implements measures to make permanent on reboot 5. Attacker can now control client through C2 system, sends command 6. C&C server will relay command to bots, bots will execute IoT Version: 1. Compromised bot client scans for IoT devices 2. Brute forces and reports login credentials 3. Reports temporary backdoor info to Report Server, which distributes loading to the the load servers 4. One of the load servers logs in with credentials and loads the latest version of binary. Implements measures to make permanent on reboot 5. Attacker can now control client through C2 system, sends command 6. C&C server will relay command to bots, bots will execute #### Description Each client differentiates itself with a unique UUID. The structure of the virus is designed to have multiple middleman servers running to divide a botnet into multiple sections and have a client to be able to connect from anywhere at any time. This model was designed as a method to ensure that a client does not have to be hard coded to connect to a server, which if isn't running will fail. The attacker client is more of a management system for a middleman server. Each middleman server has an admin password, which in order to access the user will enter the password and generate a unique ID which it saves to its database for each middleman. From the attacker client, you will be able to manage different target connections on the middleman. Features include removing connections, getting basic info of a connection, and deleting connections. You will also be able to interface target connections. The middleman server handles everything. Two attacker andclients can exist but without the server the clients are useless. There can be multiple middleman servers, when building you can always change the middleman the target is hardcoded to connect to. THe middleman server reads uuids, sorts which connection is connected to what, figures out what is connected and what isn't, and generally passes information between attacker and target. It is essential. The target client has its own interface that allow you to perform advanced operations with the target machine, much like a metasploit shell. Features include a command shell, discord token grabbing. ### Attacker When starting up the attacker client, the first thing it will do is generate a unique UUID and store it in a local file. If the local file already exists, it will read the UUID from it and store its signature as a local varible to later let the middleman server know of it's identity and exactly what connected to it. A sample signature looks like `ATTACKER_720df074-04f5-4176-b557-68d3f0fbbab7`, with "ATTACKER_" appended to the uuid to diffrentiate between a target. Next it will read its configuration. If the configuration specifies to auto connect to a middleman, it will log the configuration specification to the console and automatically connect. Otherwise, it will prompt between a list of middlemans to connect to. Once a middleman is chosen, it will send its signature towards the middleman. If the middleman's configuration includes a "remember me" option, it will automatically recognize your signature and let you in. Otherwise, the server will prompt the attacker client for a password and the client will prompt you to enter it. The password can be virtually anything. You now have connected to the middleman. From here, you are the connection manager. Look at the middleman section to see a list of commands you can use. Obviously, you can connect to a target and check its basic info (location and computer name)