Threat Thursday

Threat Thursday: September 2024

Written by SCYTHE | Sep 30, 2024 4:00:00 AM

In a recent Threat Thursday Live session, the SCYTHE team introduced JakeRat, a remote access tool designed for command execution and response retrieval, discussing its features, detection challenges, and more.

New Threat Releases


Exploring JakeRat: A New Tool for Remote Access

In a recent Threat Thursday Live session, the SCYTHE team and special guest Jake Williams introduced a new tool known as JakeRat. This remote access tool operates as both a Remote Administration Tool and a Remote Access Trojan, inspired by prior discussions on system D persistence. Jake explained how JakeRat facilitates command execution and response retrieval across various endpoints through a simple command-and-control (C2) server built with Flask.

JakeRat boasts several key features, including basic command issuance and response handling, the ability to gather host IDs from endpoints, and a straightforward setup that allows users to host the C2 server without needing persistent connections. While lacking extensive features, its capacity to execute arbitrary code presents significant potential for further actions, such as downloading additional binaries.

The session then shifted focus to the challenges of detection within cybersecurity, particularly regarding persistence techniques using the .bashrc file. The team emphasized the complexities of monitoring changes to this file, which is unique to each user and can be easily modified undetected. The discussion underscored the need for effective detection strategies to identify unexpected processes running during user logins.

Additionally, the team discussed their experiences transitioning JakeRat from Python to C to enhance efficiency while maintaining functionality. This adjustment significantly reduced the tool's size, making it easier to deploy in various environments, including Docker containers, despite initial challenges with host ID requirements.

The conversation highlighted JakeRat's operational independence from the primary Scythe implant, allowing for multiple avenues of command and control. This versatility makes it effective in simulating real-world threat scenarios. As threat actors continue to evolve their tactics, understanding tools like JakeRat becomes increasingly crucial for effective cybersecurity.

Watch Threat Thursday below.

 

REGISTER: for all upcoming workshops and Threat Thursday Live

Register today! 🦄