A Two-part Saga: Continuing The Journey Of Hacking Malware C2S - Vangelis Stykas

hello everyone welcome to my talk FKS you can sit in here if you feel like if you don't feel like still still say there uh this is my talk the first non keynote talk from besides Prague congratulations beside prag you also have a bite so uh my talk is has nothing to do with the super smart talk that was the keynote I'm a syblon I'm really dumb and [ __ ] so also uh I usually 50% of the times have my son when I deliver this kind of talk I don't have it with me so there's going to be a lot of cursing so if you feel uncomfortable please tell me can you raise your hands if you have any is with

me King no one nice okay so my talk is a two-part Saga continuing the Journey of hacking malare c2s which is uh again it's it if you see this kind of uh uh title with a semicolon in there this is probably chat CBT generated chat CBT generated that for me I wanted to write Vangelis go bur but yeah doesn't work really doesn't really work who am I uh I'm velas I'm the CTO of a company called atropos it's a boutique company which is doing penetration testing mostly on Maritime and eeve chargers and other green companies whatever blah blah blah blah I'm not here to present you my company I'm here to present you my research interest

which is mainly API for iot and for the last 18 months malware and ransomware cus and how we can attack the people who attack us back in when was it sorry September of 2022 it's already close to 18 months I read that beautiful tweet from taana siskova who works at kasperski and I was introduced to the malware as a service scene and their beautiful Twitter back then it was Twitter it's still Twitter uh malware has a service in their CTI scene which I'm not a part of but they're really helpful with me they're really helping me to find cus quick intro what is a malware Market malware vendors also switch to the as a service model because

capitalism some old ones still have one sop Fe but most of them have a really crazy amount of money that they they want uh per month for it to work the Cur pyramid on the top there's developers those are really smart people who develop malware their C2 their functionality everything vendors are the middleman they are the people who take most of the profits they are the people who advertise their goods they are people who are really aggressive they're trying to find new customers and on the bottom they're buyers they're the last part of the change they are the people who are dump enough and they are sending the spam emails and all the other things

so that you can install the malware not you the the other people uh malware Market it has 2.2 billion dollars this has nothing to do with ransomware uh Russia which is also known as Commonwealth of independent states is Untouchable and vendors are parts of criminal RS that enjoy immunity which back last August uh made me do a joke that I will end up in a van as you can see I didn't dump in a van I'm somewhat secure but in the past five six months now I end up in here come on computers are hard come on [Applause] no have any of you have seen this kind of warning when you're loging on your Gmail

yeah welcome to the club so government backed attackers may be trying to steal the your password and there's also another one from Apple that says well there is some kind of zero day running against you please secure your phone which yeah if someone wants to burn a 2 million Zer day for me they can give me half the money I will give me my I will give them my password and we will all be happy like well it is what it is though come on no it's decided not to work sorry uh malware 101 delivered via a variety of methods yada yada really really strange uh part of uh malware H software really difficult to reverse it

connects to a command and control uh server for further instructions periodically this is what we are going to go after a quick intro on the Linko steer an application that will try to steal all information and send it to C2 dropper is the application that will drop other malware to the victim a subscriber is an app that subscribes to the victim this is obviously for phones and the botn net is yeah it's a bnet if you don't know what the bnet is Google it I'm not going to spend everyone else's time explaining sorry and malware analysis it's highly technical they have a lot of analysis static analysis Dynamic analysis reversing uh jumping through a lot of

Hoops uh pretty much everyone is doing not everyone all the smart people are doing it the past uh 15 years so it really raised the bar if you're here for reversing tips there's one more slide and that's about it for you the potential obstacles that uh ver would have to pass our 1 2 3 4 5 six and another one a plethora of stuff that I don't really understand as I said in the beginning I'm not smart I'm not going after this I'm going to present you with the Toyota Corolla of penetration testing it's called Web application testing it's certainly not sexy it's probably not that good either but it will get you from point A to point B and

also get you a couple of million devices in the meantime malware C2 analysis it's definitely not that technical I'm going to treat any command and command a command and control server as a blackbox web application test if a box fails I'm going to cheat and use communication from the sandbox running the malware if all else fails I'm going to run it on my device and burp the [ __ ] out of it and I'm also going to apply some smart to it and if you don't know what I mean art I mean that run de shirts find things and hack them the issues that we have with citu analysis it's highly and I mean highly

opportunistic the lifetime can vary from a couple of hours to a couple of days once the C2 is flocked you really don't have any time it will get down so so it needed to be automated and integrated with threat indel tools to maximize the small window and I also had a lot of blacklisted IP addresses so I had to switch machines I then switched to a VPS automated uh attack ventor Maly to analysis how I was getting I'm still getting most of my stuff Twitter threat inel I had an automated uh way of getting those unfortunately face car and decided that I needed to pay a couple of thousand for it per month so [ __ ] El on

mask uh triage verak threat box and GW who is really really nice guy three people that really helped me uh on This research by finding them and keeping track on most of it because um my documentation sucks is Fox R indel follow all of them they're really cool it's gwm and joox ninja all three of them really deserve your follow they're really good threat analysts and they're really really helpful into finding malware uh C2 servers so what did I did I end up doing I created a p a python script which is an glorious Loop that updates a databases of all Targets it Canal targets for potential issues it tries to exploit them IM immediately if it can if

it knows it is a certain C2 that has a current zero day because we had a really small time window and if it doesn't find anything it sly push notification to my phone when uh the new panel was uh there any of you married no no one nice good for you so uh when you get married don't do that because you end up with a push notification at 3:00 saying uh a new panel has appeared which is called Blondy I had a lot of explanations to do so it is what it is though tool set and methodology as I said de search now I'm also New Age so I'm using ffuf to because I don't know

burp suit jadex de compiler to DEC compile any apks APK lab iio which unfortunately seems to be not working anymore or not working as it should I really loved that tool any run so that we can have a sand a Sandbox several droplets on digital ocean I searched for it yesterday I had over a thousand droplets now that were up and down during that research so done IO and rest in peace my cancerous Android phone uh it couldn't handle anymore I had install about 100 malware on it and it had decided that [ __ ] this [ __ ] I'm out I have a new red me but that was my first one so what we're going to do we're

going to acquire a C2 URL we're going to run it in a sandbox and review the communication Lodge we're going to run automated tools withed knowledge if everything else fails far up burp and thread it does a penetration test honestly we never go to burp and profit I don't submit I'm that's my 10th time that I'm doing a similar talk about malware so yeah pretty nice subject what are my goals get admin access to the panel get RC on the server Acquire The Source Code of the panel potentially the malware not that uh that happened only twice and I'm not going to get black van don't get zero dat I think I haven't get gotten zero day yet but who knows they

like Quantum and [ __ ] so Chinese might also be listening to me other than you come on not horrible mention One Cloud flare I literally hate Cloud flare they never take down anything whenever I report something they say well we are going to notify the customer I'm sure the customer knows that it's malware but but [ __ ] you hner who when I started those research I had my VPS in there and I said well there is someone in your network and they said yeah that was you [ __ ] you they they closed my they canceled my whole subscription and said you cannot scan everyone else so [ __ ] you hner and proof

hosting providers for an obvious reason I'm not going to extend everything from here on is zero day feel free to take a look feel free to exploit them if you feel like it I'm not doing it now day anyone who has been in the malare scene knows what who Amad day is typical Steeler there 7 years old they're sold in Russia for a oneoff usually dropped as a usually used as a dro for ad marware their Source was leaked 5 years ago 6 months ago from me and today again why the [ __ ] not if you go to the to my GitHub you're going to see the latest uh uh source code nonn connections to lock bit ta ta ta and a

lot of others T I don't care how was it hacked they have a stray file zip from deert their zip was password protect it it was cracked in less than 24 hours they changed their password scheme so now they have a longer password but yeah that was also correct know what that's their password wasn't that much of a hustle to crack it you can find the source code and has any of you worked with PHP at any point in their lives only one [ __ ] you're lucky people you can all see the SQL injection here I guess so yeah pretty much straightforward unfortunately we couldn't pass the because the login had a hardcoded password so I had to do some Mambo jumo

to get it I had to password to source code review their code you can see that uh in here there is a file put contents at the credential with a post ID so both the file name and the things and the content of the file are user generated so they had some kind of limitations which is quite funny I had to have the ID to be exactly 12 letters and uh that as uh the three I don't know how this character is called in English uh as a as a delimiter so let's have that I have created this really Nifty uh Postman request which says PHP Echo [ __ ] and then those 12 and the ID

was exactly 12 uh characters 1 3 4 5 6 7 8 PHP and when I went there I said I saw that nice word [ __ ] so server if someone is [ __ ] that's not me that's you I'm the [ __ ] admin now what did I do I created a reversal no I didn't create a reversal obviously I reuse the reversal I found an automated way of extracting everything in less than 30 seconds I added a really sneaky Crown job to corrupt the percentage of the files unfortunately it was fixed uh in late June of 20 23 and there's another uh issue in the past 5 months they still have somehow corrupted their databases I don't know

who is exploiting that vulnerability but over a th000 images ,000 instances over 7 million devices compromised and we're getting hot anyone of know of you know smok loader they're probably the biggest one in the malare scene their first record was in 2014 so they're older than my younger son they target mostly windows they're a generic dropper their price is around 2,000 anymore H now and their know connections is all of them I don't think that there's a thread actor that haven't used smoke loader as a dropper for at some point again diser to the rescue there's a stray Z file with credentials in there the the the worst thing of all in my point of view is this the guy is

probably a millionaire because he have sold a lot of issues but you that's admin password you can go there so I'm the admin you can see a little bit of scary sitting there that's 25,000 pages of 20 uh uh victim so we are looking at half a million victims in that instance only half a million online are 20 to how many I don't know exactly what I could also delete all Bs cancel B deletions and everything I didn't do it because yeah that would be really strange uh I did not manage to get RC when I I wrote that uh uh exploit source code is available minus the credential as it's still active aler marware downloadable from

git there is a new malware this is constantly updated uh since the past seven months so uh what did they do I knew they default default zip name of the source code searching every minute on the new instances uh I could find 20% vulnerable six diff different instances to had over 5, 500,000 Bots estimated over 10 million unique devices that were compromised in the past uh 2 and a half years that was up until my defon talk what happened afterwards uh they cut off access to most of their servers not all of them obviously I I regained access to all of them and I said that in disobey they cut off again my access I regained access

them why do I announce

it I really want them to know we have a camera in here we do right where is it there [ __ ] you smoke Glo it's me like I don't care anymore they can burn their access we know who you are we're after you get out of Ria I dare you you admin smaller one surfaced on October 2016 typical stealer lots and lots of variation sold on tegram for $200 not $300 anymore The Source was leaked 3 years ago one year ago and now the documentation folder provided default username and password The Source were found lots and lots of issues were found you don't know PHP right lucky you so you can see that there was a lot

of issues the get image H you could upload images so you could you have to find a way to do a get image byp pass the not known file name the bid also user condonable I'm not going to do the source code review in here but all three of them are typical issues and I had to upload a diff GIF however you pronounce it with that so this is a GI file at least for PHP it believes it's a gif I don't care come on next one no I created a script that will Brute Force the file names and two to Force 2 to six minutes later so reverse hell automated way of deleted everything delete everything 30

instances all done X that's a name it's lt19 14 nobody has named it I really don't know uh why nobody named it I suspect because it is terrible the code is really bad it's a fishing kit if you want to have a a take on its name come after me we can name it together again nobody knows PHP so when you go to start pphp which is the login page it logins to mode. PHP can anyone see what is wrong with it okay you don't it's 100 uh 100 kiloby and then 302 so it renders the whole P the whole page and says and then says well now you're not logged in so I render the

page but go somewhere else so I'm not going anywhere you can see it in here 302 found redirect [ __ ] you I I will just uh remove the redirect can anyone tell me what strange for the fishing it in here

no [ __ ] [ __ ] it it had a [ __ ] link to his page which is illegal Netherland company which I don't know and the code is terrible it has it it never anywhere has an SQL injection that is has an SQL query that is escaped everywhere SQL injections and it also runs as root it had the same password on all the machines I don't know why it's down all of them are down now unfortunately so sorry for them and their business model so bbx stresser there dos as a service lots of common exploits in the server plus some custom script six different servers with the same crime kit I somehow find the source code you

don't know PHP again right so someone is s executing pink with the URL which is a trimmed version of the post URL can anyone think what could go wrong in here

no extracting all the crime kit go to my GitHub find it extracted all Targets a [ __ ] that was bad extracted all hacking targets and notified those were 90 companies that you need to notify them that they're under dos attack or actual H hack attack I had to switch to incident response I hate incident response but I'm a good guy apparently so I notified everyone and then this happened if you cannot see it they're logging in on an address as root with a seven characters password which yeah don't do it but I'm rud I guess they have a really nice mod D I don't know if they pronounce it anymore I'm old I know it as mod D so yeah one

of this IP addresses is my own or my VPS I'm not going to disclose and the other one is a crime Criminal [ __ ] him 10 instances 60,000 devices they're in a better place now last one is rust loader their first appearance was on January 2024 it was targeted uh it was targeting Mac researched and reversed by Andre launu launu sorry I killed that of B Defender labs and it's the C2 of alphav V black cat for all malware most of the servers were down one of them was intermediately down so I had to wait and see that documentation when you see documentation on malware API you probably jump and say yeah I'm there there also have a lot of clients

so you could get pretty much everything with no authentication authorization or authentication you could enumerate tasks uh the server was down so apparently I had to automate this hit and kind of find and take the documentation try to guess how it would work go to sleep and wait I I had to wait for a long time time for it to get to be up and at some point at 3:00 my evening again it was up I extracted all the 197 commands in 2 minutes and the server was up for 4 hours so I cannot stress enough how meaningful it is to automate uh most of your things when you see this kind of uh uh so someone got the environment zip of

a company zipped it and then upload it so again incident response mode ah head in thead response several companies two three of them or no two were unicorn one was about to be a unicorn so billion valuation notified they all of them acknowledge the issue I will disclose about this one once everyone is ready unfortunately after that uh black outed alphav v h got a did an exit scam so yeah it was like 5 days after my disclosure I think my disclosure had to do with that exit SC I cannot really understand why they did it but good for them I guess and we're getting to the end and to the strange parts are with the

bodes can anyone point out what is the issue with what I'm doing it's what well in here it's not legal obviously in Greece though where I live it's also illegal but in order to be prosecuted the owner of the server has to prosecute you so yeah especially the smoke loader guy can come after me I really expect him to come to Greece and prosecute me but yeah that's a calculated risk that I'm taking boy my bad math but hey come on what are my next steps I think I have covered all the malware stuff as you have seen I'm already going after something much bigger and what's bigger than malware it ends in where and start with

Ransom because I don't have enough zero days after me uh I will continue helping Twitter friends and all the CTI community in Twitter not X [ __ ] X [ __ ] El mask thank you guys if you have any questions I think we have no we don't right if you have any questions come talk with me [Applause] afterwards