Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

How to use GCAT backdoor with Gmail as a C&C server

The GCAT backdoor is a fully featured backdoor which could be controlled by using Gmail as a Command & Control server with multiple advantages for attackers. Establish a backdoor is one of the main goals for an attacker in order to gain persistence over the targeted machines. There are many hacking tools that allow easily to […]

How to use GCAT backdoor with Gmail as a C&C server

The GCAT backdoor is a fully featured backdoor which could be controlled by using Gmail as a Command & Control server with multiple advantages for attackers.

Establish a backdoor is one of the main goals for an attacker in order to gain persistence over the targeted machines. There are many hacking tools that allow easily to create backdoors, many of these tools are daily used by professional penetration tested when try to exploit them to compromise a target or to maintain full control over them.

The creation of a backdoor allows an attacker to connect victim’s machine in order to send and execute some commands, send and manipulate files and access administration settings of the system.

Today I want to present you GCAT that is a fully featured backdoor which could be controlled by using Gmail as a Command & Control server, this means that the attacker can send instruction to remote system through a Gmail account.

As you can easily imagine this feature is very important because it help to maintain hidden the backdoor evading classic detection mechanism based on traffic analysis.

The traffic from a Gmail account will never raise suspicions in the administrators of a network and will never trigger any alarm, also consider that the command and control architecture will be always up and reachable, a factor vital for a botmasters.

The code related to the GCAT backdoor is available on GitHub, the repository included the following two files:

  • gcat.py a script that’s used to enumerate and send commands to the bots.
  • implant.py is the backdoor.

The above files include the gmail_user and gmail_pwd variables that must be edited with the username and password of the Gmail account used as C&C server.

GCAT backdoor

To carry out an attack based on the GCAT backdoor, an attacker has to do the following steps.

  • Create a dedicated Gmail account
  • Turn on “Allow less secure apps” under the security settings of the account
  • Enable IMAP in the account settings

GCAT backdoor allows to perform the following actions:

  • Execute a system command
  • Download a file from a client’s system
  • Upload a file to the clients system
  • Execute supplied shellcode on a client
  • Take a screenshot
  • Lock the clients screen
  • Force a check in
  • Start/ Stop keylogger

Below a useful video on the GCAT backdoor:

https://www.youtube.com/watch?v=AI2ZWEwaSd0

Pierluigi Paganini

(Security Affairs – GCAT backdoor,  Google)