Arbitrium-RAT: remote access trojan, Fully Undetectable

Arbitrium-RAT

Arbitrium is a cross-platform is a remote access trojan (RAT), Fully Undetectable (FUD), It allows you to control Android, Windows, and Linux and doesn’t require any firewall exceptions or port forwarding. It gives access to the local networks, you can use the targets as an HTTP proxy and access Router, discover local IPs, and scan their ports. Includes modules like Mimikatz, new modules can easily be added. In addition, if Arbitrium is used with a DNS spoofing software is can spread autonomously between devices (#AutoSpread). Arbitrium is a project of multiple parts, the parts were built using Java, JS, C, Python, Cordova and VueJS.

Features:

•  FUD

The client uses simple tools which makes it completely undetectable, the trojan based on netcat mainly pipe TCP packets to run the server’s commands.

•  Firewall

Arbitrium doesn’t require adding an exception to the firewall, or a port forwarding rule. The server is an API with endpoints that receives tasks for a specific target and others that the trojan periodically requests to get the new instructions, the instructions can be a JavaScript file (the Android app is made using Cordova) or a Shell file to run in the terminal/CMD. Once the server receives a task for a device, the former schedule the task then it opens a child process where it waits for the trojan’s response by listening to a dedicated ephemeral port. Therefore, the trojan doesn’t need to listen to any port.

•  Battery optimization / StealthMode

Unlike with Stock Android, customizations like MIUI by Xiaomi, EMUI by Huawei, or Samsung’s Android Pie ignore the permissions/exceptions given to an app by the user. So if you try to run an Android’s trojan in the background, the moment the app starts running frequent or heavy (in some cases even lightweight) tasks (ex: sending http requests periodically) it will be killed no matter what permissions the user grants, the OS completely ignores the current settings, dontkillmyapp.com is a known website dedicated for this particular issue.

The aforementioned issue was quite annoying while working on this project, after a while I found that building a lightweight binary that keeps running the assigned tasks in the background while the MainActivity standstill just after launching the binary appears to bypass most of the restrictions and actually even improve the performance of the App.

MainActivity receives a JS file from the server and uses ThreadPoolExecutor to initiate the binary without hanging for it to exit (More on this StealthMode/BatteryBypass).

•  Web interface

There is also a control panel, it’s not a requirement but an extension, it’s a simple VueJS webapp, a UI you can use to control the targets instead of directely sending requests to the API. The webapp is available here: Arbitrium WebApp

Install & Use

Copyright (C) 2021BenChaliah