BSides Berlin 2023: Vangelis Stykas - The Art of Compromising C2 Servers

[Applause] hello all uh I'm vagel stias as you can see in here and this is my talk the art of compromising command control servers a web application vulnerabilities perspective it sounds really technical it really is not it's just a simple talk that uh tries to identify what the issue is with multiple criminal C2 servers that's me uh I'm vuel stias I'm the past five days the c3o of a web application penetration testing uh company called atropos I'm also an independent security researcher uh my research interests are mainly apis of iot medical devices and web application security Al together you can find me on Twitter with as Evas my personal website is this one but has nothing really

interesting so don't go there this is related to the previous talk with SBT uh I'm building an AI penetration testing for open for apis it has a content were uh specific test so that you can find idors you can find a lot of things that should have died in the past 20 years but they're zombie apocalypse it seems with apis so it works you can see it in this stock but you didn't really need anyi for this kind of functions how it all started as our presenter said I was Doom scrolling on Twitter 14 months ago and I saw taana sovas tweet about uh a malware an Android malware that we're going to see later uh today and we're going to hack

it too and I was also introduced to the malware as a service uh industry which is uh really big and also the wonderful uh indel that comes from Twitter and is a really great uh uh team of people that try to identify what is going on in this industry quick intro to malware Market uh malware as with everything in the past five years capitalism happened we have moved from a on of Fe to the as a service model most new models have an as a service uh subscription varying from a 100 to several thousands per month there are a couple of old school uh malware services that still have a one soft fee but uh they are also with a

new versions moving to the as a service model you can see the pyramid in here there are three levels the developers are the people who write the malware uh the functionality there is su2 they are the ones doing the heavy lifting of Co of uh coding stuff and implementing stuff and finding exploits the middle is the vendors they're most scary ones they're one who take most of the profit and often advertise their goods in uh Dark Net Marketplace aggressively seeking new customers uh to purchase their marware and uh on the very last they are buyers they're the last part of the chain they are the people who uh do the actual exploitation and uh pay

vendors who then pay developers malware Market uh first of all we I'm not touching at all and R somewhere in here the r is a totally different level of uh people uh spoiler alert we there is another talk at some point that is going to be done that has the exact same thing for naware so the profits they're $2.2 billion dollar uh most of them come from a common on the common wealth of independent states which is Untouchable if you don't know what CIS means it means Russia and vendors are part of criminal RS that enjoy immunity and uh this is mostly why I always look from black van outside my house or outside side

wherever I am I did that talk in Defcon and I was always looking for a black van because I was thinking that van which is me vanelis will get vaned at some point I was not vaned spoil alert again but I got that at some point and I'm continuously getting that for every two weeks for the past three months which says I don't know if you can all say it government's backed attackers trying to steal your password thanks Google I think they didn't steal it yet but I kind of know who is behind that and yeah we're going to see later malware 101 it has uh it can be installed on Android Windows Mac it's

delivered via a variety of methods I'm dimming it out of scope to see how fishing SMS and everything works it can achieve persistence with pretty mat all the ways on in the book uh it's heavily ausc really difficult to Def uh to reverse and it connects to a command and control server for further in instructions periodically as you might have guessed from the talk from the talk title this is what we're going to focus on some more lingo about malware stealer is the application that will try to steal all information and send it back to other command and control server a dropper is a typically basic program that it's only used to drop other malware to the victim a subscriber is an

application in Mobile phones usually Android that subscribes the victim to a number of Premium services and botnet well if you don't know what a botnet is you're probably in the wrong room you can ask someone else I'm not going to like uh malware analysis this is one of the two uh slides that I have about malware analysis it's highly technical it can be have a static analysis and dynamic dynamic analysis it's reversing you have to jump through a lot and I mean a lot of Hoops uh the focus on reversing uh in the past two decades have raise the bar by a lot if you are here for reversing tips I have one more slide for you you it's the

next slide and then you can live because I have no idea about reversing I'm no not going to learn reversing in my 40s and yeah if you are in these kind of things my total respect I'm not into it though so the potential obstacles of malware analysis is anti-debugging techniques oration techniques runtime function decryption and other stuff that I don't really understand and don't want to understand what I'm going to present you is the Toyota Corolla of penetration testing also known as web application and API testing it will get you from uh place a to place B it's going to be slow probably not entertainable but we'll get the job done malware C2 analysis it's definitely not the Technic

we're going to treat the command and control server as a block blackbox web application test if you don't know what a blackbox web application test is come to me afterwards I'm more than happy to explain to you what it is if the blackbook fails we're going to cheat a little and use communication from uh the sandbox running the malware if all else fails run it on my Android uh uh or my VM and just proxy through burp and as the Final Touch apply some art to it and by Art I mean run thearch on the server that's it I we have a lot of cus 90% were pawned with that command DCH minus U and because I'm an extra hacker I also

from time to time add random agent because yeah that's me the difficult part C2 analysis is highly opportunistic because the lifetime of the command and control servers are really small so from the detection of the C2 up to it take being taken down we have at the very best A couple of weeks at the very worst a couple of days it so it needed to be automated integrated with threatened and tools to to to maximize that small window and uh it had a lot of blacklisted IP addresses so at first I had to switch machines and then I just created several VMS that I was switching all around where did I use uh what did I use

for my threat indel first of all Twitter has a really really good friend in the scene I had a python script that worked terrifically good then Elon Musk happened and now I have to Doom scroll to read everything thank you it's also Trias track it at very back we are really good uh guys uh threadfox at abuse. CH all three of them gave me a free API which is I'm really happy for and it's G7 warm a really nice guy I have been talking with him he's also from Germany he's doing God's work into identifying cus so what did I develop a python script it's not sharable the code is monstrous that updated the database of

all servers uh it scanned all Targets for what any sales issues or exploiting known issues that were not known at that moment and if it find if it did find something that uh we didn't know I didn't know it was not on a database uh it sent a push notification to my phone I don't know how many of you are married don't do that because if you get the push notification at 4:00 saying new panel you have to explain to your wife what's the new and what's the panel and why does it say that at 4:00 in your morning definitely not a discussion you want to have uh quick intro on the tool set and

methodology as we said my special dearch art bur Su Zex decompiler to decompile any apks APK lab iio so that we can have some kind of uh uh communication logs without installing it on my phone any run which is a great uh sandbox 2 several droplets on digital ocean San iio so that we could find people who are behind Cloud flare and my cancer Android phone that unfortunately has left us because of the many malware that were in that phone rest in peace my great Android phone acquire C2 URL and run automated tools run it in a sandbox run automated tools withed knowledge submit a defon talk get accepted never sleep without thinking that someone is behind you

that's all the methodology that I could have what's the goal that of that whole talk get admin access to the panel this means I want to be admin in every panel get remote command execution on the server because just admin is not fun enough you want command execution in there acquire the source of the panel and the malware if we could and don't get up in a black van so how good did we do in this endeavor seven admin panels three remote command executions five Source codes and my 40 Years of not ending in a black van continues not horable mens Cloud flare they never cared they never took anything down they are just in it for

the money hner they did not accept any of my reports and not only that they also disabled my VMS that I was scanning because it was against their terms of service it was I accept that but I do believe that the malware also were against their terms of service but yeah that's life I guess bulletproof hosting providers for obvious reasons so enough with the small talk everything from here on is zero days on C2 or it was because some of them were fixed but we're going to see how it's happen Harley that's the one that uh got me into there it's from the tweet it was found as we said by kasperski first report was on 22 of September of 2022

this means that I'm doing this for more than a year now and it start as a high as a side hustle and it takes most of my time nowadays it was really extensively researched from Tatiana Cisco I'm also going to introduce that matter this means how good I feel about that it goes from Green great to Red I'm getting vaned so not so good but not not that bad either Harley Tron subscriber that's means that once it got into the phone it uh registered for a paid Services keep that in mind we're going to see why it was doing it it's around 300 I think apps nowadays it's estimated over a, apps to this day affecting 12 million

users it has an encrypted SDK in go and rust it was encrypted you're going to see that at the end of this stock it's not going to be so encrypted at all it the administration interface is as you can see based on zoo spring app I don't know if you can see that so it had some great JavaScript code that says uh if the code is 200 Set uh cision storage the username to that and then go to frame html. go to.ask I don't know does that work it does not sorry or it doesn't I'm just ignorant so if you could just do seion storage. set titem username as the username admin because that's the

username you want to be

right I really hope the dog is the admin's dog so I also know his dog so I'm the admin now that's it I have full function ality I could see who did what were but as we said we needed more I needed RC e there goes my beloved dearch I don't know how popular is in Germany do you do we have any Java developers in here none no one I really love Germany then I don't know if you have ever worked with Java it's painfully painfully slow and really bad but for a pent tester and I'm going to wear my pen tester hat now Bator spring framework can lick a lot of stuff Ander Jia land jolia is a certain boot

actuator that had a lot of exploits unfortunately those exploits needed to be uh to be enabled they would have to have paid for JIA which needs commercial features and the guys behind it were cheap Fox and didn't pay for anything so I had to make do with that you can see diagnostic command VM system properties and I got this wall of text which unfortunately as you can see is not really clean so let me clean it up for you you can see AWS secret access key Ali access key AWS access key so there it is we have AWS access key for that unfortunately it was not the root access key so I had to go and see

the rest three buckets in there you can see a master key and a Jenkins does anyone here know what Zen kins is oh great so let's go to zenkin credential decryptor write this excellent command that would give us git ID Global MySQL AWS access key and we have access to all their GitHub your gitlab sorry not GitHub so gitlab all malicious up code damed all command and control server code damed will be served at it's already 30 you can go it's on my defon talk but let's give it some time to also introduce you to the company behind that which is called star Pavilion digital it's a payment Gateway and they also have uh SMS

payment which it was really good because they were actually subscribing to their own SMS payment services uh I you can see the mail in here you can call them I call called them I sent them an email after I don't know five or 10 emails I don't really remember they responded we are in China you are in Greece we don't really care you shouldn't care too like okay don't care but I will talk about this Clipper not a private messaging it was reported by the one and only Lucas Stefano and Peter check I hope I name H his name I pronounced his name correctly sorry if I'm not I'm feeling safe they're not that big of a fish so I don't really care

about it as I said it's reviewed by a set reversed by those two fabulous guys it delivered a troan IED WhatsApp and telegram messenger their sole purpose was to switch a crypto wallet adversis from the one that you were submitting to the attackers one again thear thearch found a lot of things and an EnV file as you can see in here it's laravel does anyone here know what laravel is I double love uh Germany I have been a larel developer for more years than I would want to and and I can tell you that environment files are juicy files and they were using the environment files so that environment file had a DB username a DB

password and also an app key and if you are a developer in larel you know the app key encrypts cookies so I was able to rebuild cookies and login as any user which means I was super admin in there so I again I'm the admin let's move on with our lives but in there there is also a r me file in that Ry file you could see that it had gitlab.com sudu and a bunch of numbers everything was public I didn't need to hack anything I just had to go in there it's now deleted but you can see it on my GitHub user had other really really interesting report repositories though you can see all the users that

had submitted at some point to this repository I dumped all the malware related repositories the Android app was already compiled so no source code for that uh I sh it on GitHub no further information as we have really bigger fish to fry so anyone who who has worked with malware at some point in their life knows what amade is right okay not so much love from Germany so Amad day it was surfaced on October of 2018 it's a typical Steeler it's sold in Russian forums for up to $1,000 now uh it's usually used as a dropper for ad malware the source code was laked five years ago and a month ago on my defon talk and

it has no connections to lock bit blah blah blah blah a lot of non connections so it seems I'm getting vaned how did I get access to it so again stray running uh up deer search a file zip from De search was there zip was password protected it I cracked it a a good friend I cracked the password in less than 24 hours and I got that which means I got access to the source code one we had a lot of SQL injections as you can see in here they practically never have any MySQL real Escape or any other of uh escaping SQL escaping but unfortunately as you can also see in here this cannot be used to login

because the password the username and password are uh hardcoded in the source code not hardcoded but defined in the source code and there comes that nice function can you see par credentials it file put contents on a user specified uh file name with user specified data the only limitation was that the file name the file name had to be exactly 12 characters and I have to have those three double dots as the dim limiter for the string which after a lot of thinking ended up on that really thoughtful string PHP Echo that and the idea of 2 3 4 5 6 78. PHP exactly 12 letters as it said and when I went to/ credentials 1 2 3 4 5 6

78. PHP I saw that really nice verb in there which means my dear server one of us is that's not me I'm the admin I have remote command execution in there so what could I do I quickly wrote a reverse cell I had had an automated way of extracting everything I added a really sneaky Crow job to corrupt a percentage of the files if I corrupted everything they would have know unfortunately it is fixed it was fixed at uh late June of 2023 but is that the camera dear mad developers this is no longer fixed I have a new RC for you and I'm not going to release it in here so hello what did we

have sorry guys sorry for not uh disclosing that zero day but I know they fixed that uh the old one once it was disclosed so I really want to have that access and and maintain it uh it I have I was able to detect more than a thousand instances since December 2022 upwards of 7 million devices compromised nice graphs more nice graphs you don't really care it's really bad smoke loader is anyone familiar with smoke loader no you're happy people in here so it's probably the biggest uh uh dropper it's first record was in 2014 which is older than my second son who is now into public school so it's old uh it targets windows it's a generic

dropper for other malware the price of full package is $2,000 it has known connection to pretty much every 3A in the world so yeah they are the guys that are after me but yeah deer to the rescue stray zip files with credentials the most depressing thing of all of this is that the guy who has it is probably a millionaire everything else is okay but yeah I was able to log in I'm the admin another depressing things this is 20 computers this is 25,000 p Pages this means that it's over half a million commuters so all Bs 500 5,000 add personal task delete all Bots cancel bot dations one of the wisest things that I have

done in my life was not pressing that delete all buttles because if I had deleted that Bots I would have interacted with people who were not criminals and therefore I wouldn't be here in in Berlin talking about it but in a Greek prison so yeah unfortunately I did not get remote mod execution The Source codes available Aller malware downloadable from git they are a botet For Hire so this is the gift that keeps on giving we are at around 200 uh malware that were shared from there uh they have disabled my access on uh most of their servers but again this is my camera you have to try harder smoke loader there's backend servers that I

still have access uh what did I do knew the default zip name of the source code uh most of them are vulnerable 60 different instances two of them had more than half a million Bots estimated is right now over 15 million unique devices that were compromised at some point in 2023 excellent graph you can see how it goes here's more uh nowadays it seems that they are uh compromising 5 to 10,000 computers per day which is a lot manipulated Cayman it's a really small botn net that targets mostly Mexican victims so we had Chinese we had Russian I really want to spice up things so add the Mexican threat actor uh it's active for at least two

years it had more than 55 million of potential Revenue ah it's okay but it's Mexico who's going to go after me so they had their Zano rest framework as you can see all Dayo is in there credit cards everything that's how the people uh got uh we were able to calculate how many victims were in there and as you can see in here you just uh go to that website and you're an admin there's literally no authentication no authorization no all you're an admin you're an admin everybody's an admin because yeah that's life but we do have more than admin trusted research you can see git we have git in there there is the bit bucket there is

the the list that was shared with uh have I been pwned and it's it's in there now so unfortunately I did not manage to get RC the source code is also available if any of you wants to take a spin of it be my guest I'm really happy to share but if you do it in Germany this is probably illegal and don't do it Nexus unfortunately that's the one that got away the first appearance was in 2022 it's Anroid stealer it has a really sophisticated way of bypassing multiactor authentication it targeted 500 banking applications it's mostly active in Turkey which is Cally close to Greece and it's currently inactive so I think I'm safe the only thing that uh it had in

there was an SQL injection that you were able to exploit just with SQL map and you were able to log in and have anything uh that you want in there you could dump the full database clear text passwords because who wants encryption no Cod or RC it hasn't been around for the past five months I consider it dead Aurora uh first appearance also 2022 Windows steer right any goang SU was also right in goang it's also dead so I had to went to a wedding uh the deer search found a stray image loading advertisements followed that lead I found the base building server handling pretty much everything builds licensing you could add add the user to it and create

Steelers that's the building server so why I added my user and I said okay I'm me I now have to do other stuff because I also live as I said I'm married I had to go to a wedding with my wife in Spain and that happened on the Friday that I was flying so I said okay cool I'm going back in Monday and on Saturday that tweet happened which mean which if you don't see major Improvement movements Aurora is that I don't know if me adding the username made the guy delete everything or something else but yeah that's the one that go away but I'm okay with that I think and ethical dilemas that's a really

really Silver Lining that we would have to take uh are we the Buddies uh what I'm doing what I'm presenting in here in Germany is illegal in Greece it's not exactly illegal it's allowed unless the person that you hacked sues you so I really hope someone sues me so I have a really good lawyer I'm happy to have enough money to pay that lawyer and if any of those malware people wants to go after me let's have a fight uh what's the issue criminals will get better command and control servers will get some Focus too I have some new news for you no they will not I hope that uh after my defon talk everyone

would have fixed the zero days they tried they didn't try really hard bar will be raised and today's hero days will no longer be valid no they're still valid most of them are still there they don't really care they're I don't know I I really don't know uh it could interfere with active police investigation I was lucky and didn't interfere with any active police investigation but uh I was also unlucky to have a lot of police asking me stuff and asking me to provide for zero days which I did and I will continue doing but it's not one of the best things to have an email saying that yeah can you give us a zero

day what I will do I will continue monitoring for new panels I will try to find more zero days I will help leas identify criminals and uh chase them I will try to continue my 40 Years of don't get vaned and not get hacked strike you can see my GitHub all source code is released in there the blog post was never uploaded it will never be uploaded it's still in there just for reference I was told by multiple leas that it was not wise to write down what I did although it is wise for me to present it to you but yeah so that was [Applause] me thank you thank you so much it was

very very interesting um we have some time for questions again do we have oh yes that was a quick hand um I think there is um I see a lot of movement doing what exactly you are doing right so I hear other people fighting back on on criminals and I wanted to ask you if you would encourage more people to do it and if you would have some recommendations for their upsc basically I I'm looking at the camera but I'm answering you I'm not encouraging any one to do illegal stuff in their countries but if you can find a silver lining that will allow you to hack the person who tried to hack your mom or your company

or you can go after R somewhere do it but but on the bat don't do illegal stuff what recommendations on opsc so that you get don't get vaned you mean I I'm really bad in obsc as you can see I hacked bad people and am here with my actual name first name last name I'm V stickers I hacked bad people so yeah I don't know I don't have any uh recommendation of this OBC sorry do have obsc if you feel like it anyone else so I just have a comment on OBC maybe it's also interesting for you also if you uh although you won't use it obviously uh there was a talk some years ago from THS and um I think he was a

speaker of CCC which was called like you can hack everything you just should not be um a I think it's it's a pretty good talk about oback and if you're interested in that that's may be helpful for you thank you very much for the awesome talk there's your answer on OB oh no on the obsc I'm not doing obsc anyone else do we have anyone a lot of lights I can't see anything it's it's another question so this is your hobby right it was my hobby it it was my job then it became my hobby because I didn't like pentesting but now I love pentesting so now it's also my job I'm a strange guy

sorry yeah thanks for your presentation I have a question like you said like for amade the Russian one your friend was able to cracked it in like very fast was it before it was the easy not encrypted or I don't know like how how was he able to the zip password yeah the password you can see the zip password in there it was a uh a really small dictionary word uh pretty easy to crack they have switched on version five version four to a small to a bigger H but we have find a way around it to get RC so it was bad but not that bad