HTTP RAT Trojan 

Case Study:Using HTTP RAT Trojan, we are going to create an HTTP Remote Access Trojan (RAT) server on Windows 7 machine (10.10.50.202). When an executable Trojan file is executed on the remote machine (in our case, Windows Server 2016, having IP address 10.10.50.211), it will create remote access of Windows Server 2016 on Windows 7. 

 TOPOLOGY:

          

Configuration and procedure

  Go to Windows 7 machine and run the HTTP RAT Trojan. 

1. Uncheck Notification with IP address to mail 

2. Configure Port 

3. Click Create

      

In the default directory where the application is installed, you will see a new executable file. Forward this file to the victim’s machine.

                  

 

4. Log in to victim’s machine (In our case, Windows Server 2016) and run the file. 

5. Check task manager for a running process; you will see an HTTP Server task in the process.

               

 

6. Go back to Windows 7. 

7. Open Web browser

 8. Go to IP address of victim’s machine; in our case, 10.10.50.211

               

 HTTP connection is open from victim’s machine. You can check running process, browse drives, check computer information of victim using this tool 

9. Click Running Processes

      image

 Running Process on Victim

 

10.Click browser

      image 

 Browse Drives of Victim 

The output is showing drives. 

 11. Click Drive C

          image 

C drive of Victim

12. Click Computer Information

           image 

       

 The output is showing computer information.

13. To terminate the connection, Click Stop_http

       image 

    Stop HTTP Connection

14. Refresh the browser

    image 

   Connection terminated 

15. Go to Windows Server 2016 and check running processes.

     image 

   Verifying Process #

HTTP Server process terminated.