Presented at
BSidesLV 2023,
Aug. 8, 2023, 2 p.m.
(45 minutes)
Black Lotus Labs (Lumen Technologies), has tracked elements of a sophisticated campaign leveraging infected SOHO routers to target predominantly North American and European networks of interest, by selecting key individuals working from home. This campaign remained undetected for nearly two years.
We identified a multistage remote access trojan (RAT) developed for SOHO devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain a foothold.
This talk will outline the elements of the advanced campaign based on our current understanding, with particular focus on the first-stage RAT core functionality (including LAN enumeration, pcap of network traffic, and deployment of the HTTP/DNS hijacking ruleset), the fully functional custom agents CBeacon/GoBeacon including their functionality. Lastly analysis of the segmented and rotating C2 infrastructure that leverages 3rd party services such as Yuque in addition to Tencent servers for C2.
I'll wrap it up with a discussion on monitoring and discovery methodology, host logs generated by the attacker, and how to identify and secure your own environment from this class of attack.
Presenters:
-
Danny Adamitis
Danny Adamitis is a Principal Information Security Engineer at Black Lotus Labs, the threat research division of Lumen Technologies. He is responsible for advanced actor tracking and intelligence and has a passion for research on DNS hijacking, and router-oriented malware. He has almost a decade of experience performing threat analysis and reporting on nation-state campaigns. And he does all of this, to fund an opulent lifestyle for his dog Cookie.
Links:
Similar Presentations: