RCS Console is the GUI to manage and browse data collected on the RCSDB. Data is gathered on the Collection Node (ASP) that is captured by several backdoors configured to synchronize to that Collection Node. A backdoor instance is the software that is installed on a target device to collect several
kind of information in order to conduct an investigation. Backdoor can be configured to collect different kind of information, i.e. it has different agents enabled. Each agent is responsible of collecting a single kind of information or
performing a single task. A backdoor class is an abstraction of the backdoor instances. It contains only the configuration the instances will get the first time they synchronize with the collection node.
4. RCS Internals
Backdoor
Stealth monitoring program written both in C++ and ASM. Connects to
ASP using an encrypted channel. It uses an event/actions paradigm and it is
made up of different agents that can be activated separately.
ASP
RSS RLD
It is composed by two different windows services: RSS and RLD.
RSS is responsible for the communication with the Backdoor. RLD
decrypts the logs and sends them to the DB.
HCM
It is used to create the configurations for the Backdoors. It communicates
with ASP thru the DB in order to send the configurations to the
Backdoors. It is used to create infection vectors such as melted
executables, CD/USB, etc.
5. RCS Internals
DB
All the information about users, activities, targets, backdoors and logs are
contained into the DB. All the other components talk to the DB thru an
XML-RPC interface.
Console
This is the main visualization tool. It can be used to administrate users,
groups, activities, targets and backdoors. It is used to browse the logs too.
It is accessed by different users with different profiles (a user can only see
logs from the activities assigned to him).
7. Backdoor Logic
Events
•Executed Processes
•Network Connections
•Screensaver start/stop
•Time/Date
•WinEvt
•Quota
Events are raised by the
event manager based on
the configuration file.
Actions
trigger
•Synchronize
•Start / stop agent
•Uninstallation
•Command execution
Actions are triggered by Events.
Each event is configured to
trigger exactly one action. Sub-
actions are available.
Agents
•Voip
•Microphone
•Webcam
•Key logger
•Instant Messaging
•URL
•Password
•Snapshot
•Print
•Clipboard
•File Capture
Agents can be activated on
startup or started/stopped by an
action. Each agent has its own
configuration and behavior
11. Configuration Management
Select DB
&
Authenticate
Manage
Backdoors
Configurations
Build
Infection
Tools
Build Infection media:
• Polymorphic Melted Executable
• Offline installation tool (CDRom/USB pen)
• INJ proxy: polymorphic core, plugin, etc.
Manage configuration:
• Add/Delete/Change events-actions, modifiy agent params, etc.
• Save and update configuration on DB
Repository selection:
• Choose a repository of backdoor configuration
• Authenticate with Username/Password
Logout
12. InfectionVectors
HCM
INJ
Proxy
Intercepts all the HTTP connections of the target and inject
the backdoor into any executable file downloaded.
When the target execute the file, the backdoor will execute
unnoticed and the target will be infected.
Boot
CD/USB
The target PC will be booted with the provided CD or USB
key and the offline installation will start. You can choose the
users of the machine on which the backdoor will be installed.
You can even retrieve the log already collected.
EXE
Melting
The backdoor is melted within any executable.
When the executable is launched the backdoor will install
silently and the original executable will continue as usual.
Hacking
Resources
The client target can be attacked thru exploits and forced to
upload and execute the backdoor.
Eg: malicious website, evilly crafted file
17. ASP Internals
• Encrypted communications
• Mutual authentication with the backdoors
(prevents MITM and spoofing attacks)
• Multi-threaded
• Two independent window services for
communication (RSS) and decryption (RLD)
• Hidden behind a fake web server
20. DB data organization
• Users and Groups
• Activities,Targets and Backdoors
• Logs
• Audit Logs
• Binaries and Certificates
• Encryption Keys
• Configurations