Awesome

multicat

PoC RAT using the sneaky-creeper data exfiltration library.

Not meant to be full-featured, just a fun project to write, and a proof-of-concept/example for anyone who wants to use sneaky-creeper.

If you get annoying InsecurePlatformWarning errors, run pip install 'requests[security]'.

Getting Started

Open up implant.py and specify which channel and encoder(s) you'd like to use, then set their parameters in channelParams and encoderParams. Refer to the sneaky-creeper docs for information on which parameters to set and how, as well as which channels and encoders are available.

Message Format Reference

Messages take the form of:

uid:message_type:other_stuff

Where other_stuff is determined by the message type. Note that colons : are used to delimit fields in the message. While an attempt is made to be resilient against user-defined colon use, it's still more risky to use them in your messages than to not.

uid is a unique ID for each implant instance to keep them all organized, generated by each implant when it's first run.

Message Types

Message

Implant --> Console Sends a simple message to the C&C console for display.

Fields:

message - a message for the C&C console to display.

Checkin

Implant --> Console Informs the C&C console that a new implant instance has come online.

Fields:

None.

Job

Console --> Implant Instructs the implant to carry out a job.

Fields:

jobId - a unique ID string for the job itself, tracked by the implant to avoid repeating jobs jobType - the name of the job to carry out. The implant searches for a function with this name in its Jobs module, then executes it (if found). cmdString - a string passed to the job code itself, used to pass in parameters.

Example:

a5wJl0t03lQvXmT0TrFy:setSleep:10-15 will instruct the implant to set its wait time between checkins to between 10 and 15 seconds using the setSleep function.