Presented at
ekoparty 14 (2018),
Sept. 27, 2018, 4 p.m.
(50 minutes).
It is focused on dynamic callbacks for re-establishing communication with C2 infrastructure and for achieving persistence, how payloads can heal themselves after being blocked including how communication can be re-established via dynamic parametric data. The methods described are code agnostic.
1. Introduction
A. The puppet masters that govern malware. SOURCE: https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware
B. C&C Servers are used to orchestrate malware and malicious code.
C. Thesis: Infrastructure can be organized and changed using dynamic requests for reducing detection and blocking. The persistence methods can take advantage of the dynamic requests.
D. Red Team (and malicious actors) can take advantage of these techniques.
E. The talk is focused on dynamic callbacks for re-establishing communication with C2 infrastructure and for achieving persistence using different methods, popular websites, domain fronting and multiple protocols.
F. The techniques and methods described are code agnostic and can be used as a baseline. They can be combined between them or with other methods.
2. History
A. In May 14 2015, FireEye published that a China-Based group (APT17) had been using legitimate websites (Microsoft Technet) as a relay for C2 callbacks (BlackCoffee Malware). SOURCE: https://www.fireeye.com/blog/threat-research/2015/05/hiding_in_plain_sigh.html
B. Before APT17 group (BlackCoffee Malware), malicious actors had been using similar techniques for orchestrating the callbacks to the C2 infrastructure.
C. On December 4 2015, SilentBreakSecurity (Nick Landers) published details on how Outlook Rules can be used for triggering malicious code (Malicious Outlook Rules). SOURCE: https://silentbreaksecurity.com/malicious-outlook-rules/
D. In December 18 2016, ICANN published how DNS can be used as a covert channel. SOURCE: https://www.icann.org/news/blog/what-is-a-dns-covert-channel
E. Most malware uses fixed callbacks hardcoded in the stager.
F. Persistence method could fail if the callback was fixed as part of the code.
3. Argument: Callbacks can be modified dynamically using different methods, popular websites and their functionalities.
A. The addresses of the C2 infrastructure can change, therefore the stager and payloads need to know where to find it.
B. It will be more difficult to detect the callback if the C2 address is obtained dynamically.
C. It will be more difficult to detect the callback If the C2 communication is mixed with legitimate traffic to popular websites ie hiding in plain sight.
4. Argument: Persistence methods can take advantage of dynamic requests to modify their behaviour and to patch themselves when required or requested.
A. Dynamic requests can be used for modifying the persistence methods and its setup.
B. Stagers and payloads can patch themselves for re-establishing communication and for changing their behaviour.
5. Argument: The combination of dynamic callback and persistence can be unique for each compromised host.
A. A unique combination can be used on each compromised host, therefore if one host is detected, the indicators of compromise will not help in detecting other compromised hosts.
B. If these techniques are only used for re-establishing communication with C2 infrastructure and for persistence, and they are not used for controlling the compromised hosts, detection could be low.
C. Communication channel between compromised hosts and C2 infrastructure should be kept away from the nodes used for persistence.
6. Counter Argument: If the popular websites are blocked or alerted on usage the dynamic callback could be detected.
A. Large organisations could find it challenging to block certain popular websites or certain protocols.
B. It will be difficult to differentiate legitimate traffic from traffic used for obtaining the dynamic callback.
7. Counterargument: If persistence method is reused, the behaviour can be used for detecting the malicious code.
A. The persistence method and setup can be unique for each compromised host.
B. If the dynamic callback validation is kept low in frequency (attempts), then it could be difficult to detect.
8. Conclusion
A. Dynamic callbacks facilitate an ever changing C2 communication channel and establishment of robust persistence.
B. Stager and payloads can patch themselves and can change behaviour when required using dynamic requests.
C. Detection and blocking could be difficult as the methods for obtaining the new callback are dynamic and mixed between legitimate traffic.
Presenters:
-
xtr4nge
xtr4nge is a security consultant and researcher with more than 15 years experience in cyber security within large companies. He is continuously engaged in researching the security aspects of new technologies and using as a platform to drive security forward. He has a passion for developing open source software for fun, learning and research such as FruityWiFi and FruityC2. He is interested on breaking stuff and then understanding how to fix them.
Links:
Similar Presentations: