I had COVID for part of the week, so I could not work in the shop. During that time, I tested how Windows Defender detects RATs.
I researched how Windows Defender detects RATs last year when I made one that uses Websockets for C2. I noticed that Windows would detect the malware once dialed out to my server.
To test if dialing out was triggering Antivirus, I made a very similar RAT, but instead of using my server for C2, I used Discord.
I thought it might not be detected because Discord is a common autostarting application, and assuming that Windows Defender triggered when programs dial out, Discord would likely be whitelisted.
I wrote a very simple RAT that used the libraries for making discord bots in Python. It has four functions: shell, which runs commands in the respective systems shell; exfiltrate, which will send specified back to the operator in Discord; and ping, which will have the bot respond if it is online.
This RAT would only be used for research, and I do not want to release a dangerous malware sample, so I did not program in any polymorphism. Without any polymorphism, once the sample is added to antivirus hash databases, it will become harmless.
I used Pyinstaller to create an exe file to test the program.
Antivirus did not detect the RAT until I tried to put it in the hidden startup folder. That is unsurprising because the hidden startup folder is practically useless outside of malware.
Going through Discord’s API made it much more difficult for AV to detect than going to my server. I do not know why this technique is not more commonly used. With some light googling, I found that it is a strategy that has been used before but is not nearly as common as expected.
After returning to school, I continued working on communication on the float. I ran into many issues with the library and decided that using WiFi with an external antenna made more sense.
I use the Adafruit QT Py ESP32-S2 WiFi Dev Board because it supports an external antenna. I scavenged the antenna that would work well for the float off of a broken router in the shop.
I wrote MicroPython code to connect to a WiFi and open up a TCP socket. This simplified the communication code because WiFi and TCP Sockets are well-established standards.
I am connecting to a preexisting WiFi network rather than creating an access point to simplify debugging. I can test the code from my workstation without disconnecting from the network.
I was able to write code to get functional communication over WiFi in MicroPython in only one day. To get to the same position using packet radio with Arduino took me weeks. Due to the better development speed, I plan on using WiFi on the float this year.
Below is a screenshot of functional communication over TCP using Netcat.