How to use GCAT backdoor with Gmail as a C&C server

The GCAT backdoor is a fully featured backdoor which could be controlled by using Gmail as a Command & Control server with multiple advantages for attackers.

Establish a backdoor is one of the main goals for an attacker in order to gain persistence over the targeted machines. There are many hacking tools that allow easily to create backdoors, many of these tools are daily used by professional penetration tested when try to exploit them to compromise a target or to maintain full control over them.

The creation of a backdoor allows an attacker to connect victim’s machine in order to send and execute some commands, send and manipulate files and access administration settings of the system.

Today I want to present you GCAT that is a fully featured backdoor which could be controlled by using Gmail as a Command & Control server, this means that the attacker can send instruction to remote system through a Gmail account.

As you can easily imagine this feature is very important because it help to maintain hidden the backdoor evading classic detection mechanism based on traffic analysis.

The traffic from a Gmail account will never raise suspicions in the administrators of a network and will never trigger any alarm, also consider that the command and control architecture will be always up and reachable, a factor vital for a botmasters.

The code related to the GCAT backdoor is available on GitHub, the repository included the following two files:

• gcat.py a script that’s used to enumerate and send commands to the bots.
• implant.py is the backdoor.

The above files include the gmail_user and gmail_pwd variables that must be edited with the username and password of the Gmail account used as C&C server.

To carry out an attack based on the GCAT backdoor, an attacker has to do the following steps.

• Create a dedicated Gmail account
• Turn on “Allow less secure apps” under the security settings of the account
• Enable IMAP in the account settings

GCAT backdoor allows to perform the following actions:

• Execute a system command
• Download a file from a client’s system
• Upload a file to the clients system
• Execute supplied shellcode on a client
• Take a screenshot
• Lock the clients screen
• Force a check in
• Start/ Stop keylogger

Below a useful video on the GCAT backdoor:

Pierluigi Paganini

(Security Affairs – GCAT backdoor,  Google)