Friday 30 September 2022, 14:30 - 15:00
Takahiro Haruyama (VMware)
Malware analysts normally obtain IP addresses of malware's command & control (C2) servers by analysing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than anti-virus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg.
For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad.
Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings for the Internet-wide C2 scanning.
After the presentation, I'll publish over 120 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.
Takahiro Haruyama is a senior threat researcher on the VMware Threat Analysis Unit (TAU), with over ten years of extensive experience and knowledge in malware analysis and digital forensics. He previously worked on reverse-engineering cyber espionage malware with Symantec's threat intelligence team. He has spoken at several famous conferences including Virus Bulletin, REcon, HITB, SANS DFIR Summit, BlackHat Briefings USA/Europe/Asia.