The connection header includes a communication password null byte the size of the following message null byte. Sometime this message is received as an individual response or appended to the next message (a connection header). This message (or acknowledgement) is sent in unicode. The C2 begins every message it sends to the infected host with the string: X\r\n If the C2 in question is indeed running Xtreme RAT and the communication is successful, the C2 then responds to the infected host. The code uses version 3.6 for every connection. Testing showed that the Xtreme RAT C2 does not confirm or check the version number. To begin communication, the infected host initiates a connection with the C2 by sending the string "myverion" pipe the version number to the C2. Communication between the C2 and hosts are encoded and sometimes compressed. Xtreme RAT uses a reverse-connecting architecture: the C2 acts as the client while the infected hosts act as servers. Where 127.0.0.1 is the IP address of the Xtreme RAT C2 Server-Client Communication Note that Xtreme RAT C2 Software runs on Windows OS. Additional files can be added manually within the code. By default, this code attempts to download three files that are common among Xtreme RAT instances: "", "senha.txt", and "Settings.ini". Only successfully downloads files with an absolute path. This is currently written in Python 2.7 and will be updated to 3.0 soon. Mimics an infected host phoning home to an Xtreme RAT C2 Server and attempts to authenticate itself and download specified files.
0 Comments
Leave a Reply. |