Bypassing NextGen Security: Crazy C&C Channels

Crazy c2 Channels Bypassing Next-Gen Security w/ Crazy C&C Channels

Wolf Pack! Looking for 0days and malware! @DavidThurm @DavidThurm THANKS!

Bryce Kunz - Cloud Exploitation Expert AWS, Azure, Docker, K8s,
DC/OS, Mesos, etc… & Red Team Lead Whois Bryce Kunz @TweekFawkes DHS NSA Cloud

Last-Gen

The Network Malware

The Goal Malware C2

Blocks: - IP Addresses - Ports Firewall 123.123.123.123 80/TCP -
Execute Commands Malware Firewall Connect Back

Layers Any IoT Web Service: - Serverless Services - AWS
Lambda, etc... - MQTTS, etc... IP Address Port 1.1.1.1 443

Web Proxy Blocks: - Domain Names - BlackList - Reputation
Based - Attacker’s Buy Good Rep Domains bad.guy.com - Execute Commands Connect Back Malware Web Proxy

Any IoT Web Service: - Serverless Services - AWS Lambda,
etc... - MQTTS, etc... IP Address Port 1.1.1.1 443 Domain name example.com

IPS Blocks: - Signatures (e.g. strings) - Previously Known Bad
“root#” - Execute Commands Connect Back Malware IPS

etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP <msg>c2</msg> Domain name example.com

Malware Analysis Blocks: - Files (in Transit) - Runs Files
in Sandbox bad.guy.com - Execute Commands Connect Back Malware AMP

etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP Files Domain name example.com

Transaction Logging Enables: - Logging of Traffic MetaData - Aggregation
of MetaData (e.g. into Splunk) - Anomalies (e.g. rare Certificates) “root#” - Execute Commands Connect Back Malware BroIDS

etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com

TLS/SSL Decryption Enables: - Inspection of TLS/SSL Traffic - Ability
to inspect encrypted traffic “root#” - Execute Commands Connect Back Malware Web Proxy

Next-Gen

Next-Gen Firewalls Features: - Application Awareness - Allow Only web-browsing
bad.guy.com - Execute Commands Connect Back Malware Next-Gen Firewall

MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 msfconsole - Execute Commands
Connect Back Windows Target Next-Gen Firewall

MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 Denied! msfconsole - Execute
Commands Connect Back Windows Target Next-Gen Firewall

Koadic w/ RegSvr Stager Koadic 0x8 - Execute Commands Connect
Back Windows Target Next-Gen Firewall

Koadic w/ RegSvr Stager Denied!

Koadic Koadic 0x8 - Execute Commands Connect Back Windows Target
Next-Gen Firewall

Koadic Next-Gen Firewall Bypassed! Allowed!

Empire Empire v2.1 - Execute Commands Connect Back Windows Target
Next-Gen Firewall

Empire Denied! Empire v2.1 - Execute Commands Connect Back Windows
Target Next-Gen Firewall

Empire

Empire Defaults

“not” Empire Mod

Empire With Modified URIs - /totes/not/bad.php Empire v2.1 - Execute
Commands Connect Back Windows Target Next-Gen Firewall

With Modified URIs - /totes/not/bad.php Allowed! Empire Next-Gen Firewall Bypassed!

Pupy Out of the box... pupy - Execute Commands Connect

Allowed! Pupy Next-Gen Firewall Bypassed!

WebDavC2 Out of the box... WebDavC2 - Execute Commands Connect

Allowed! WebDavC2 Next-Gen Firewall Bypassed!

OverAll Next-Gen Rating: Next-Gen Firewall Bypassed! Meterpreter Koadic Empire Pupy
50% ? WebDav2

Crazy C2 #1

TwitterSphere ...

Survey Says! ...

Breakdown c2 via Twitter (so meta!)

Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego=

Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego= Base64 Encoded

CyberChef

Decode Base64 Decoded: cmd=powershell -nop -noni -w 1 -c Write-Host
looooooolz

Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz cmd=
-> c2 protocol

C2 Logic if command == “cmd=”: (execute the command)

Multiple Commands if command == “cmd=”: (execute the command) elif
command == “download=”: (download a file)

Sleep if command == “cmd=”: (execute the command) elif command
== “download=”: (download a file) else: (sleep...)

Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz powershell
-> exe

No Profile cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-nop -> no profile

Non Interactive cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-noni -> non interactive

Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-w 1 -> non interactive

Ps Command cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-c Write-Host looooooolz

Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz
-c Write-Host looooooolz

Design c2 via Twitter (so meta!) Twitter Operations 3) Execute
Commands 2) Read Tweet 1) Post Tweet Target Next-Gen Firewall

Open Source GitHub: Twittor Invoke-TwitterBot (needs update; uses deprecated api)

Espionage Equivalent C2 via the Plurk Social Network (Chinese Version
of Twitter?) “Elirks” Malware

Crazy C2 #2

Design c2 via Gmail Gmail Gdog - Execute Commands 2)
Read Em ail 1) Post Email Gdog Next-Gen Firewall

Open Source GitHub: Gdog Gcat (older version, no longer maintained
)

Espionage C2 via the Gmail Gcat (Older version) used by
allegedly Russian cyber threat actors

Crazy C2 #3

TwitterSphere ...

Survey Says! ...

Espionage C2 via Instagram Allegedly Russian cyber threat actors

c2 via Instagram Design Instagram Operator - Execute Commands Read
Com m ent Post Comment Malware Next-Gen Firewall LP Bit.Ly/.... Evil.com 302

So Many Options

Very Well Known Options So Bored! - TCP -> Back
Orifice, everything... - UDP -> Donald D…, everything... - HTTP -> everything... - HTTPS -> everything.... - DNS -> DnsCat2, many... - Domain Fronting -> latest trend, many….

Matrix Of The Known Interesting Any IoT Web Service: -
Serverless Services - AWS Lambda, etc... - MQTTS, etc... IoT Web Service Read / W rite Malware Next-Gen Firewall

Trends: APIs/REST Anything Web with an API/REST: - Slack ->
“SlackShell” - Discord -> “Dyper” - Telegram -> “RATAttack” Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall

Trends: Web* Anything Web with a Twist: - WebDav ->
“WebDavC2” - WebSockets -> “ZombieWeb” - QUIC, HTTP/2 -> “H1-QUIC”, etc... Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall

The New New

C2 Over... - AWS Lambda, Google Cloud Functions, etc… -
Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers Serverless Prediction #1

Exfil Over... - IFTTT, Zapier, Cloud Elements, etc… - Wash
Connections through 3rd party web services… (less focus than tor) - Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers WebHooks Prediction #2

IoT Prediction #3 C2 Over... - APIs, MQTTS, SQS, etc…
- Blend in with Comms to Web Services & Message Queues

Conclusion

Conclusion Trusted Web Services… - are currently being (ab)used for
c2 - And will increasingly be (ab)used for c2 to bypass security devices

Conclusion We need next-gen network technologies that will…. - Parse
and Log web services/api/rest requests - Retrospective Analysis, etc… - Send to Central Logging Systems (e.g. splunk)

Conclusion Once parsed and logged, we need systems to... -
Analyze requests for anomalies (ML?) - Who sends base64 messages over twitter other than a bot?

March 16th Sandy, Utah BSidesSLC Bryce Kunz @TweekFawkes s2.fyi NSA
Cloud

End Bryce Kunz @TweekFawkes

Bypassing NextGen Security: Crazy C&C Channels

Bypassing NextGen Security: Crazy C&C Channels

More Decks by TweekFawkes

Other Decks in Technology

Featured

Transcript