Pierluigi Paganini
September 28, 2015
Establish a backdoor is one of the main goals for an attacker in order to gain persistence over the targeted machines. There are many hacking tools that allow easily to create backdoors, many of these tools are daily used by professional penetration tested when try to exploit them to compromise a target or to maintain full control over them.
The creation of a backdoor allows an attacker to connect victim’s machine in order to send and execute some commands, send and manipulate files and access administration settings of the system.
Today I want to present you GCAT that is a fully featured backdoor which could be controlled by using Gmail as a Command & Control server, this means that the attacker can send instruction to remote system through a Gmail account.
As you can easily imagine this feature is very important because it help to maintain hidden the backdoor evading classic detection mechanism based on traffic analysis.
The traffic from a Gmail account will never raise suspicions in the administrators of a network and will never trigger any alarm, also consider that the command and control architecture will be always up and reachable, a factor vital for a botmasters.
The code related to the GCAT backdoor is available on GitHub, the repository included the following two files:
The above files include the gmail_user and gmail_pwd variables that must be edited with the username and password of the Gmail account used as C&C server.
To carry out an attack based on the GCAT backdoor, an attacker has to do the following steps.
GCAT backdoor allows to perform the following actions:
Below a useful video on the GCAT backdoor:
https://www.youtube.com/watch?v=AI2ZWEwaSd0
(Security Affairs – GCAT backdoor, Google)
