A Malware retrospective: PrjRAPTOR
Foreword
In our two previous articles in our “Malware Retrospective” series, we explored the stories behind two of the most well-known and popular Trojans from the late 90s and early 2000s. Most, if not all, enthusiasts in Malware/InfoSec have heard at least once about SubSeven or Beast, whether they are newcomers to the field or seasoned veterans.
Now, for the first time in the Malware Retrospective series, we will delve into the story of a lesser-known Remote Access Trojan called “PrjRAPTOR”. This Trojan gained popularity around 2008 and 2009, a period that marked the close of the Trojan scene’s golden era. It was a time before the creation of such programs turned into profit-driven enterprises by cyber criminals, rather than demonstrations of technical skill and genuine passion.
Let’s briefly dive into PrjRAPTOR’s story, a Remote Access Trojan that made waves for its unique interface. Our exclusive interview with its author, “Ryan,” offers valuable insights into the Trojan’s development and impact.
I want to extend my sincere thanks to Ryan for taking the time to answer my questions and clarify some critical points. Connecting with members of the old scene who laid the foundations of modern malware is always a rewarding experience.
Finding a clean and working copy of PrjRAPTOR was quite a challenge, as it wasn’t as widely recognised as other top malware from that era. Few websites offered downloads, and most are offline more than a decade later. I asked Ryan if he still had a clean copy, but he had lost all trace of the project, including the source code and binaries. He was even surprised that someone would be discussing his experimental project, which he once used to learn programming, all these years later. This curiosity-driven approach to coding was common among malware developers at the time and shaped what malware has become today.
PrjRAPTOR: Unveiling the Story of a Forgotten Trojan
The mind behind this Remote Access Trojan (RAT), “Ryan,” shares the inception, evolution, and legacy of his brainchild. For those familiar with the landscape of cyber tools during its peak, PrjRAPTOR doesn’t require an introduction. For the uninitiated, here’s a comprehensive exploration of its journey, straight from its creator.
Born in the USA, Ryan was a mere 13-year-old when he embarked on the ambitious journey of developing PrjRAPTOR around 2007–2008. Intrigued by the vast world of hacking tools and the enigmatic aura surrounding hackers, Ryan aimed to demystify the “hacker-man” character from movies, only to find himself deeply engrossed in the world of programming.
As he recounts, “I found amazing online forums where people exchanged ideas, did write ups and shared their work.” The name PrjRAPTOR might seem cryptic, but its origins are endearingly simple. It’s an amalgamation of Ryan’s habit of prefixing “prj” for VB test projects and his 13-year-old fascination with dinosaurs.
Malware and its fascinating universe drew Ryan in. He imagined it as the zenith of technical prowess, where programmers “break the rules.” Starting with simple vbscript files, Ryan gradually migrated to VB5 and then VB6, unearthing the intricacies of programming and malware development.
In this article series, we’ve previously discussed malware created using Delphi, which was a popular choice among Trojan/RAT’s developers for various reasons. It’s important to highlight that Visual Basic 6 (VB6) was likely the second most-used programming language in the realm of such category of malware. Similar to Delphi, a key appeal of VB6 was its ease of use in creating rich user interfaces without requiring complex code. However, VB6 had the advantage of being even more beginner-friendly, making it an ideal choice for newcomers to malware development. While VB6 was somewhat more limited in capabilities compared to Delphi, several malware strains stood out for their innovative features and ingenious design, such as MoSucker, CIA, and LostDoor. The significance of VB6 in the field of malware should not be underestimated.
Building PrjRAPTOR was no small feat. Ryan admits, “It took me years… I went into it with almost 0 programming experience or knowledge.” Navigating challenges like understanding VB6’s GUI editor, the event system, object-oriented features, and much more, Ryan tirelessly worked on making the RAT functional and robust.
Ryan cites tools like ProRAT, Optix, SubSeven, PoisonIvy, and Daemon Crypt as sources of inspiration. He meticulously tested and observed features from a plethora of tools available, learning, iterating, and building on top of what existed. ProRAT, in particular, served as a foundational learning tool for him.
Despite being deeply embedded in the malware community, Ryan never made deep connections. He remembers active members and learned by observing, but preferred to face challenges on his own - In the past, whether opting to be a lone wolf or part of a team, the primary motivation for developing such programs was the pursuit of knowledge and the satisfaction derived from overcoming the myriad challenges that a malware author would inevitably encounter.
As with many passion projects, PrjRAPTOR faced its sunset when Ryan decided to pursue other interests, especially during his high school years. Discussing the possibility of revisiting the project today, Ryan believes that given the advancements in technology and cybersecurity, a rebuild would be more apt. Reflecting on his journey, he remarked, “Revising the project in today’s time would no doubt warrant a full rebuild for so many reasons. First, I would like to say that making a tool like PrjRAPTOR in today’s world would benefit greatly from being open source.” Expressing his regret, he continued, “That is probably the most sure thing I could say about changes in the project. I really should have done that back then too, but I didn’t know anything about open source software. I could have learned a lot from letting people see my mistakes.” He emphasises the value of making such tools open source and deeply regrets not making PrjRAPTOR open source at that time.
Since the culmination of PrjRaptor, the author shared, “I have worked on many projects. None of them involve malware except maybe a few small endeavors that are more on the security side of things.” He further elaborated on the evolution of his professional interests, saying, “It didn’t take me long to realize that general programming was far more compelling than only focusing on malware.” While exploring various avenues in software development, his foundational experiences continued to guide him: “I still feel heavily inspired by the old hacking tools when I am designing a project. I recall the feeling of having a tool that was easy to use, automated a process that seemed like magic and looked good doing it.”
A Quick Tour About PrjRAPTOR Features
Upon first opening the PrjRAPTOR controller, it’s immediately clear that you’re experiencing the imaginative output of a 13-year-old. The design is vividly colorful, brash, and features raptors prominently throughout. While the youthful, experimental flair is evident, the design choices can sometimes be obstructive. Some windows have dark colors, making navigation a bit challenging, while others are extremely bright. It’s a testament to the trial-and-error spirit of a young programmer finding his way through his creative endeavor.
It’s also noticeable that PrjRAPTOR lacks some functionalities compared to other RATs of its time, indicating clearly that the project was not yet complete. The author’s other commitments appear to have taken precedence over its development. Nevertheless, the program remains quite impressive, especially considering the young age of its creator.
PrjRAPTOR included an iconic Remote File Manager, a potent feature that enabled complete control over an infected machine’s file system. This allowed for tasks like downloading and uploading files, as well as altering file integrity. Essentially, this feature turned the remote system into a sort of FTP server, and it’s often used by threat actors to upload and execute additional payloads.
Another potent feature in PrjRAPTOR is its Keylogger, designed specifically for monitoring a victim’s keyboard activities. This inherently dangerous function enables an attacker to capture potentially sensitive information, such as passwords for websites or applications, including VPNs, to name just one example. When employed strategically, this feature serves as an ideal tool for tasks like pivoting or privilege escalation.
Aside from a few system-oriented features like Process and Window Manager and Clipboard controls, PrjRAPTOR primarily includes disruptive and whimsical features, echoing the practices of similar programs from the past. This also serves as another indicator of the youthful age of the developer behind the project.
Finally, it’s surprising to see that the project lacks features such as webcam or desktop capture, which are commonly found in similar programs.
The program was unfinished, explaining the absence of such specialized features. In any case, it’s impressive to see what a 13-year-old was able to accomplish instead of playing video games like other kids his age.
Conclusion
Like many others, including myself, Ryan exemplifies the reason why such ingenious programs were developed in the first place. Far from being solely about profit, these creations were aimed at building a strong foundation in multiple fields. Crafting a Remote Access Trojan (RAT) was particularly challenging, especially in earlier days when resources were scarce. Aspiring malware authors had no choice but to be both creative and persistent. A RAT was an excellent learning platform because it involved diverse aspects of programming, from user interface design to system-level coding, as well as an understanding of operating systems, APIs, and networking.
While RATs (and their modern counterparts, C2s) are relatively common today, the challenges still exist, albeit in a different form, primarily focused on evading detection. Nonetheless, the landscape has changed considerably from over a decade ago. Still, creating RATs remains one of the best ways to quickly climb the ranks and become a skilled programmer.
A Word about Malware Gallery
I wanted to take this opportunity at the end of the article to introduce my long-term project called “Malware Gallery.” This museum is dedicated to vintage malware, particularly Remote Access Trojans that have made an impact since the late 1990s. The goal is for veterans like me to reminisce about these technological gems that defined our formative years. I was fortunate to grow up during the early days of the internet and to have firsthand experience with these pioneering programs, even meeting many of their creators. The project aims to compile my memories, conduct new research, and progressively publish extensive information and images about these relics from the past.
It’s also a valuable resource for newcomers — those with less than 15 years of experience in the field — to familiarize themselves with programs they may not have encountered through academic courses or training. Malware, particularly from earlier times, is a true passion of mine that I always wish to share in one way or another. As I often say, to understand your craft, you must understand its history.
The database will grow incrementally but steadily; this is a long-term project that demands extensive research and effort to full. If there’s a particular family of malware that has left an impression on you and is not yet featured, feel free to reach out to me. I will prioritize adding it to the collection. Thank you in advance for your feedback.
Featured image / banner by Lois