Digital Vengeance: Exploiting the Most Notorious C&C Toolkits

Presented at Black Hat USA 2017, July 27, 2017, 3:50 p.m. (50 minutes)

Every year thousands of organizations are compromised by targeted attacks. In many cases the attacks are labeled as advanced and persistent which suggests a high level of sophistication in the attack and tools used. Many times, this title is leveraged as an excuse that the events were inevitable or irresistible, as if the assailants' skill set is well beyond what defenders are capable of. To the contrary, often these assailants are not as untouchable as many would believe. If one looks at the many APT reports that have been released over the years, some clear patterns start to emerge. A small number of Remote Administration Tools (RATs) are preferred by actors and reused across multiple campaigns. Frequently sited tools include Gh0st RAT, Korplug/Plug-X, and XtremeRAT among others. Upon examination, the command and control components of these notorious RATs are riddled with vulnerabilities. Vulnerabilities that can be exploited to turn the tables from hunter to hunted. Although the material in this talk will provide tools for launching an offensive against attackers, this talk is not intended to be an instructional for hacking back. The ethics and legality of counter attacks will be touched on only briefly as that is a discussion beyond the scope of this talk. The presentation will disclose several exploits that could allow remote execution or remote information disclosure on computers running these well-known C&C components. It should serve as a warning to those actors who utilize such toolsets. That is to say, such actors live in glass houses and should stop throwing stones.

Presenters:

• Waylon Grange - Senior Threat Researcher, Symantec
  Waylon Grange is an experienced reverse engineer, developer, and digital forensics examiner. He holds a graduate degree in Information Security from Johns Hopkins University, and has worked numerous computer incident investigations spanning the globe. Prior to Symantec he worked for Blue Coat Systems as a Senior Threat Researcher, and the Department of Defense performing vulnerability research, software development, and Computer Network Operations.

Links:

• https://www.blackhat.com/us-17/briefings/schedule/#digital-vengeance-exploiting-the-most-notorious-cc-toolkits-6066
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/Digital Vengeance - Exploiting the Most Notorious C&C Toolkits.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/Digital Vengeance - Exploiting the Most Notorious C&C Toolkits.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/Digital Vengeance - Exploiting the Most Notorious C&C Toolkits.en.transcribed.srt (subtitles)
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/Digital Vengeance - Exploiting the Most Notorious C&C Toolkits.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=4wwSOD6orcY
• https://www.blackhat.com/docs/us-17/thursday/us-17-Grange-Digital-Vengeance-Exploiting-The-Most-Notorious-C&C-Toolkits.pdf
• https://www.blackhat.com/docs/us-17/thursday/us-17-Grange-Digital-Vengeance-Exploiting-The-Most-Notorious-C&C-Toolkits-wp.pdf

Similar Presentations:

• 31C3 (2014) / The Invisible Committee Returns with "Fuck Off Google": Cybernetics, Anti-Terrorism, and the ongoing case against the Tarnac 10
• DEF CON 25 (2017) / Digital Vengeance: Exploiting the Most Notorious C&C Toolkits
• DerbyCon 7.0 Legacy (2017) / Digital Vengeance: Exploiting the Most Notorious C&C Toolkits