C2 Active Monitoring

Collecting orders from Command and Control servers by impersonating an infected machine


@xanhacks

https://slides.com/xanhacks/c2-active-monitor/

whoami

# whoami
C2 Active Monitoring - @xanhacks
  • Student at ENSIBS
  • Malware Analyst at the French Post Office
  • Play CTF in my free time (Web & Reverse)

@xanhacks

How it works - Part 1

# how it works

MWDB

Malware Database

Karton

Configuration extraction

Downloader

Download samples

C2 Active Monitoring - @xanhacks

How it works - Part 1 - MWDB Sample List

# how it works
C2 Active Monitoring - @xanhacks

How it works - Part 1 - MWDB Sample Overview

# how it works
C2 Active Monitoring - @xanhacks

How it works - Part 2

# how it works

C2 Monitoring API

API & database for C2 & Orders

C2 Connectors

Python scripts to

communicate with C2

C2 Active Monitoring - @xanhacks

C2 Servers

One class for each

malware family

NjratClient

XWormClient

How it works - Part 2 - C2 Monitor Overview

# how it works
C2 Active Monitoring - @xanhacks

How it works - Part 2 - C2 Monitor Orders

# how it works
C2 Active Monitoring - @xanhacks

Case Study: NjRAT - Green Edition

# example: njrat
C2 Active Monitoring - @xanhacks

NjRAT is a Remote Access Trojan made in .NET that communicates through unencrypted TCP socket

(default port: 5552)

Funny Orders - Fun Popup

# results
C2 Active Monitoring - @xanhacks

Funny Orders - Chat Plugin

# results
C2 Active Monitoring - @xanhacks

Funny Orders - Open Site - Russian Video

# results
C2 Active Monitoring - @xanhacks

Funny Orders - Open Site - Russian Video again...

# results
C2 Active Monitoring - @xanhacks

Funny Orders - Open Site - P*rn website

# results
C2 Active Monitoring - @xanhacks

Campaign - "I am Furry"

# results
C2 Active Monitoring - @xanhacks
# results
C2 Active Monitoring - @xanhacks

Timeline

Campaign - "I am Furry"

"ill fucking kill your computer"
"im getting your bank information"
"you will be fucking poor"

# results
C2 Active Monitoring - @xanhacks

https://www.youtube.com/watch?v=Xs3ukQql0H0

Wiper #1:

AiVDsDOsA

Campaign - "I am Furry"

# results
C2 Active Monitoring - @xanhacks

https://www.youtube.com/watch?v=jK1nRADpVnw

Wiper #2:

Neptunium

Campaign - "I am Furry"

# results
C2 Active Monitoring - @xanhacks

Furry lover <3

Campaign - "I am Furry"

Campaign - @gribojuy / ГРИБОЖУЙ / Champignon

# results
C2 Active Monitoring - @xanhacks

> "gribojuyy" enter the chat

gribojuyy: Bro, hello, do you have paypal?

me: What are you doing in my computer ?

gribojuyy: do you have a discord?

me: Where are you from ?

gribojuyy: America

gribojuyy: bro do you have telegram

gribojuyy: bro do you have telegram

gribojuyy: bro do you have telegram

gribojuyy: ...

gribojuyy: message me in telegram @gribojuy

Chat exchange on 10/05/2024

At the same time:

  • Record Micro/Cam
  • Open PH (also send index.html)
  • Play piano
  • Process List
  • Text to Speech (if i do not answer to chat)

Campaign - @gribojuy - Telegram & YouTube

# results
C2 Active Monitoring - @xanhacks

Campaign - @gribojuy - Telegram Preview

# results
C2 Active Monitoring - @xanhacks

Campaign - @gribojuy - Pastebin Account

# results

Campaign - @gribojuy - Github Account

# results

The nice guy

# results
C2 Active Monitoring - @xanhacks

Timeline

"You installed a virus that I did not distribute"

"Please install antivirus"

MessageBox: Documentation to remove NjRAT

Coincidence??

# results
C2 Active Monitoring - @xanhacks

14min interval

Anydesk IT Support from Russia

# results
C2 Active Monitoring - @xanhacks

14/04/2024

End!

Any questions ?

 

@xanhacks

https://slides.com/xanhacks/c2-active-monitor/

C2 Active Monitor

By xanhacks

C2 Active Monitor

  • 311