The Art of Compromising C2 Servers: A Web Application Vulnerabilities Perspective

Presented at DEF CON 31 (2023), Aug. 13, 2023, 11 a.m. (45 minutes)

C2 servers of mobile and Windows malware are usually left to their own fate after they have been discovered and the malware is no longer effective. We are going to take a deep dive into the rabbit hole of attacking and owning C2 servers, exposing details about their infrastructure, code bases, and the identity of the companies and individuals that operate and profit from them. While understanding and reversing malware is a highly skilled procedure, attacking the C2 itself rarely requires a lot of technical skills. Most of the C2 servers have the same typical HTTP problems that can be detected by off-the-shelf vulnerability scanners. By exploiting low-hanging fruit vulnerabilities, an attacker can obtain unauthorized access to administrative functions, allowing them to command thousands of devices and further explore other attack vectors. This can give them access to administrator panels and malware source code, and result in the identity of threat actors being exposed. REFERENCES: Harly malware: https://www.kaspersky.com/blog/harly-trojan-subscriber/45573/ Clipper malware: https://www.welivesecurity.com/2023/03/16/not-so-private-messaging-trojanized-whatsapp-telegram-cryptocurrency-wallets/ Nexus malware: https://www.techrepublic.com/article/nexus-android-malware-finance-targets/ Aurora malware: https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/

Presenters:

• Vangelis Stykas - CTO at Tremau
  Vangelis is a software developer, penetration tester, and PhD candidate.He applies his skills at his job as Chief Technology Officer at Tremau and his research focus revolves around API and web application security. His academic research is focused on machine learning in web application security and the development of proactive web application security. During his free time, Vangelis is helping start-ups secure themselves on the Internet and get a leg up in security terms. During the past years he has published and presented research regarding API control functions for ships, smart locks, IP cameras, EV chargers and many other IoT devices. He has performed extensive research on the stakerware industry.

Links:

• https://forum.defcon.org/node/246122

Similar Presentations:

• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab
• ToorCon San Diego 14 (2012) / {Malandroid} - The Crux of Android Infections
• DerbyCon 3.0 All in the Family (2013) / The Malware Management Framework, a process you can use to find advanced malware. We found WinNTI with it!