The GCAT backdoor is a fully featured backdoor which could be controlled by using Gmail as a Command & Control server with multiple advantages for attackers.
Establish a backdoor is one of the main goals for an attacker in order to gain persistence over the targeted machines. There are many hacking tools that allow easily to create backdoors, many of these tools are daily used by professional penetration tested when try to exploit them to compromise a target or to maintain full control over them.
The creation of a backdoor allows an attacker to connect victim’s machine in order to send and execute some commands, send and manipulate files and access administration settings of the system.
Today I want to present you GCAT that is a fully featured backdoor which could be controlled by using Gmail as a Command & Control server, this means that the attacker can send instruction to remote system through a Gmail account.
As you can easily imagine this feature is very important because it help to maintain hidden the backdoor evading classic detection mechanism based on traffic analysis.
The traffic from a Gmail account will never raise suspicions in the administrators of a network and will never trigger any alarm, also consider that the command and control architecture will be always up and reachable, a factor vital for a botmasters.
The code related to the GCAT backdoor is available on GitHub, the repository included the following two files:
gcat.py a script that’s used to enumerate and send commands to the bots.
implant.py is the backdoor.
The above files include the gmail_user and gmail_pwd variables that must be edited with the username and password of the Gmail account used as C&C server.
To carry out an attack based on the GCAT backdoor, an attacker has to do the following steps.
Create a dedicated Gmail account
Turn on “Allow less secure apps” under the security settings of the account
Enable IMAP in the account settings
GCAT backdoor allows to perform the following actions:
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.