A new RAT (Remote Access Trojan) has come on the scene which communicates via SMTP – The Simple Message Transfer Protocol to avoid detection by security tools.
SMTP is vital in any network if you want to send emails because this is the “push” protocol which all email systems use when sending messages.
The RAT is named after Google’s Gmail utility because the developers choose to use gmail email accounts for the RATs communications, however any SMTP mailbox(s) can be used.
The RAT utilises 2 simple python files:
- server.py
- client.py
The server script is the one which is placed onto the victim machine, and the client script is the one used by the attacker to communicate with the server/victim.
Communications between the client / server are obfuscated using Base64 encoding.
Currently, the RAT has only a few capabilities:
- Persistence (type persist)
- Shell Access
- System Info (type info)
The developers say that more features will be added
The code for the RAT is available on github