HTTP/HTTPS Trojans can bypass any firewall, and work as kind of a straight HTTP tunnel, but one that works in reverse. They use web-based interfaces and port 80 to gain access. The execution of these trojans takes places on the internal host and spawns a "child" at a predetermined time. The child program appears to be a user to the firewall so it allows the program access to the internet. However, this child executes a local shell, connects to the web server that the attacker owns on the internet through a legitimate-looking HTTP request, and sends it a ready signal. The legitimate-looking answer from the attacker's web server is in reality a series of commands that the child can execute on the machine's local shell.
Auditing a network against HTTP RATs is generally more difficult as well as essential, as most firewalls and other perimeter security devices cannot detect traffic generated by a HTTP RAT Trojan.
Remote Access Trojans (RATs) are malicious programs that run invisibly on the host's PC and permit an intruder remote access and control. A RAT can provide a backdoor for administrative control over the target computer. Upon compromising the target system, the attacker can use it to distribute RATs to other vulnerable computers and establish a botnet.
- Create a server and Run HTTP Trojan on Windows Server 2012.
- Execute the Server from Windows 10 virtual machine.
- Control Windows 10 machine remotely from Windows Server 2012.
- Windows Server 2012 virtual machine (Attacker).
- Windows 10 virtual machine (Target).
-
Log on to Windows Server 2012 and install the HTTP RAT TROJAN tool: https://anonfile.com/HaT8v9Jbn7/HTTP_RAT_TROJAN_zip
-
Double-click httprat.exe, the HTTP RAT main window appears as shown below:
-
Uncheck send notification with IP address to mail option, enter the server port to 84 and click Create.
-
Once the httpserver.exe file is created, a pop-up will be displayed, click OK and share the file with Windows 10 virtual machine.
The file will be saved into HTTP RAT TROJAN folder as show below:
-
Now log into Windows 10 and navigate to the place where you saved the httpserver.exe file. Double click to run the Trojan.
-
You will be able to see the Httpserver process in the task manager:
- Switch back to the Windows Server 2012 and launch the web browser.
- Enter the IP address of Windows 10 in the address bar to access the machine.
Note: it is normal to get some errors on the first requests, the browser may fail to connect - just reload the webpage a couple times.
-
If everything works, you should get this window:
-
Click on the Running procesess link to list down processes running on the Windows 10. It is possible to kill any process from here.
-
Click browse and then click Drive C to explore the contents in this drive.
-
Click computer info to view information of the computer, users and hardware.
After you done, end the Httpserver.exe process in Windows 10.