Evading C2 Detection with Asymmetry

her that's because he's been introducing himself as an assistant speaker which I'm not sure what that means this has been right here we're Brandon and Edge group so who am I slide I'm Brandon arvanagi I'm a security engineer at gemini.com I used to work at mandians FireEye and Sultan there I wrote a tool called check please which was an implant security framework and such and go for while at FireEye and before all that I did security engineer work at Vanderbilt I went to school there and I studied security hi everyone my name is Andrew Johnston I'm a proactive consultant at mandian and I focus in red teaming I also work at Fordham University as a researcher

looking at how we can use artificial intelligence to help fight terrorism uh apparently I hacked a toaster at the age of five and yeah my my alma mater is Fordham I know I don't have a fancy headshot like Brandon does so instead I just went with sad eyes Harold

so basic disclaimer you're responsible for what you do and the information in the stock thank you don't do bad things and the case studies that we provide here are high level they don't reflect any clients that either of us have ever worked with means facts have been changed legalese read this at some point malware fundamentals very very basic stuff two high-level buckets for most malware malware that knows what it wants to do without any other input from the attacker and these are really nasty ones right so ransomware most of the time doesn't need to call back home it just locks things up and it'll say this is a Bitcoin address pay me or something like

to delete all files you don't need someone to be at the keys to help with that and then there's malware that does so malware that wants to phone home you can extract data or accept commands like in a remote access tool that's more involved that's when someone wants to Snoop around Etc so that's more targeted nuanced it's not Reckless like ransomware or deleting all files of the malware that does need to communicate home there's a couple different ways you can do so the old school way was synchronous communication basically a live stream of data going back it actively listens and responds to to requests and there's also asynchronous so that's malware that pulls you can set sleep

intervals on this kind of malware you can set Jitters you have more fine uh you know you have more granularity with with this kind of thing let's talk about being in sync now so you're all familiar with the bind shell it's very basic so this is an example of synchronous malware you can tie a shell to a specific port on a local computer and listen for uh and and tie the shell there and listen for outbound incoming connections and it's very trivial to detect if there's a shell listing on a local computer I mean the workflow is is there an open port is there a shell listening on it I have concluded that there's a shell

sitting on an open port reverse shells got a little bit more interesting but still in some ways outdated this shell gets pushed out to the attacker's machine so rather than having it tied to a local Port the shell gets pushed out to the attacker's machine so you don't actually see the open port on your own end and it's not tied to any port there it's more difficult to detect because of this and most synchronous rats are based on the concept of a reverse shell so synchronous traffic was very basic it started out with bind shells moves on to reverse shells it started out with obscure ports and then that got easier to detect so it went to regular ports

you're used to seeing like 443 rather than just having one C2 you'd have some failover c2s if your first one went down and another Improvement was people started using C2 servers that are nearby so if you're attacking a company in New York you'll set up in your Cloud environment for example a New York IP for a C2 so it looks similar enough so the problem one of the problems with synchronous traffic is that it's one long conversation and it's very loud and obvious in network traffic it's essentially like streaming Netflix to a C2 server so this is why we're seeing the shift to asynchronous this is all very high level stuff I'm just giving an

overview for the talk and it's very very difficult to manage several reverse shells at the same time and they're flimsy because if one of these streams gets broken up then you're in trouble you have to find another way to peeking back now I will pass it off to Andrew to talk about asynchronous malware all right so asynchronous malware is probably the kind of stuff that if you're if you're doing red teams today this is the stuff you're using uh one of the nice things about asynchronous malware since it is it is calling back to you is that you can set working hours uh you probably don't want to send any commands at two o'clock in the morning

so you can effectively shut your malware down and tell it not to Beacon back to you until 9am or whatever you're going to start using it again and that gives it the ability to look almost normal because you can start to mirror what looks like normal organizational traffic it's still not perfect because you have to call back to the server but it's definitely a lot better than what we were seeing with synchronous malware right the primary feature of these uh asynchronous malware uh softwares like Cobalt strike like interpreter like Powershell Empire is that it's making a new connection for every communication it's not a long stream but rather a series of discrete Communications over time

so there's been a lot of work recently into making asynchronous traffic look a little bit more normal uh there's been a whole bunch of articles on domain fronting right domain fronting is when you're using a cloud provider to look more normal and you can look like you're sending traffic to some pre-approved domain but it's really going to your C2 server if you've ever tried to implement this it is Rife with problems you have problems with caching and also a lot of the common targets that people use for domain fronting uh really don't like that their servers are now being used for malware and if you try to do this they will likely detect you and

oftentimes shut you down you can also improve yourself a little bit by implementing Jitter Jitter is a little bit of Randomness into how often you call back so instead of calling back every five minutes on the dot uh maybe sometimes calling back at four and a half minutes and other times maybe not even till six minutes and this gives uh less normalcy to the traffic and tries to obscure another artifact that Defenders might be looking for another thing you're going to see talked about a lot is domain categorization there's a host of different companies that uh that offer this for for Enterprises and it essentially it's a third party that tries to manage a whitelist for you and tries to group all

the domains that your employees may be visiting this allows employers to lock down machines and say they can only visit websites that have been pre-approved but this really becomes a cat and mouse game just like everything else in security there are a ton of vendors that offer this and you can try to get your website categorized but it's ultimately a guessing game and you have to hope that nobody uh does some inspections or asks the the company to re-categorize it ultimately this asynchronous traffic is going to look weird the problem is that whenever you make a new domain to handle this kind of traffic it's going to go from having no hits and nobody visiting it ever to all of a

sudden dozens of workstations and maybe even some servers will all be connecting to this one system multiple times a day this is really weird if you're looking at uh like a frequency graph of traffic right why does this new domain that nobody's ever heard of it doesn't have a profile on Google it doesn't it's not linked to any known people on the web why is it all of a sudden getting all of this attention that's something that Defenders can look for so let's get into a bit about asymmetric malware which is the Improvement it's the evolution of where asynchronous malware is going asymmetric malware is malware that splits up receiving commands and sending data back the simplest

type of asymmetry is just using two different servers getting a command from one website sending it to another but you don't have to limit asymmetry to just multiple machines you can split your traffic across different applications protocols or really anything in the most advanced form asymmetric malware doesn't always need both channels if you can custom uh particular malware or implant to only do one thing then you sometimes don't need a command Channel likewise if you only want to change a setting or if you want to alter a machine in some way you don't really need a way to exfiltrate data so even though right now it's very much popular to just use asynchronous malware no matter what people put beacons on

machines even if they only want to do one thing that's noisy and with asymmetric malware you can kind of get away from that uh that habit of putting the same thing on every machine you want to communicate with so let's talk about how we can do asymmetric malware on regular systems probably the primary example of asymmetric malware in real life is a piece of malware called Hammer toss it was written about fairly extensively by FireEye and it's a it's a free pdf download to uh to check out it was uh supposedly written by apt-29 which is a Russian group now one of the really cool features of this malware is that it uses Twitter to get commands every single day

the malware generates a new Twitter handle using what's called a prng so it's a it looks like it's a random stream but really does then you can generate the same quote-unquote random streams in two different places so the malware generates a new Twitter handle and it visits it and it uses that a new Twitter handle to identify a place to download an image that image then is uh is decrypted there's some encryption and steganography applied and the malware is able to retrieve data back or able to see what the attacker wants it to do want to execute those commands it then exfiltrates data and takes the response from that and it puts it on popular

cloud storage providers right this malware is really unique in that not only is it there's no direct link between the attacker and the machines they're infecting but it's really resistant to a lot of counter measures even if Twitter knows that the uh that a particular username is being used for malware they can shut it down because the attackers are making a new one for tomorrow's command anyway they only need one tweet a day in order to control all their machines so we wanted to do a little demo for you to show you what asymmetric malware might look like and to do that we needed a popular website since we didn't want to make anybody angry we decided to make

our own popular website so if you want to check it out on your computer it's not a C2 dot info and I swear there's no JavaScript messiness or anything like that we're not trying to trick you uh so what we wanted to show is that you could take a Blog that you don't control as an attacker and you can still use it to run your commands so now if if everything works out you know I've my fingers crossed uh our live demos always get tricky so this is not a c2.info right and so it's just it's just some content there and there's a comment section like there are on a lot of websites right now when you're using a

comment to to run your malware you can assume uh a lot of things about structure right you can't assume that you're always going to be the first commenter uh you can assume that you know people aren't going to try to bury you or reply to you so you have to have something to to hinge off of in this case our uh our malware username regular poster use the uuid uuids are really nice because they're guaranteed to be unique no matter what so if your malware is looking for this specific sign you can be pretty sure that it's not going to be anywhere else so just uh for for the purposes of the demo to make things simple after the

uuid we have a pipe and then we just have a base64 encoded command so let's hop over to this Powershell window and let's manually trigger our malware excellent so this malware is very basic it just points out that we're running code from a Blog comment and uh just pulled up a little notepad window for us let's see let's take it back excellent so naturally if you were doing something uh you know in real life against a real adversary you'd probably want to do a little bit better than what we did here the first of which and the the easiest thing is not using a static Sentinel value just like Hammer toss you're going to want to use a prng or another

algorithm so that way you don't have to put the same uh put the same uuid in every comment because that's something that the person who runs this website could key in on and start to look for in flag likewise you probably don't just want a base64 in code commands because anybody who recognizes that's base64 uh will be able to take a look at it and see what's going on so one of the things you could do is you could actually encrypt the command I know uh Brandon authored a library called check please and uh one of the things that you can do with some of the the codies produced is you can have malware that decrypts based on its

computer name so if you know exactly what computer you're gonna infect with this asymmetric malware you could encrypt your commands with that computer name and that way even if people see this they don't know what's going on they they can take it apart for you likewise uh as fun as it is to buy domains like not a C2 dot info you're going to want to Target a real site something that's popular and something that's frequently updated so that way you can continue to post your commands on on new posts or something like that likewise this is an asymmetric malware that doesn't have a data exfiltration Channel and so in most cases you're going to want to implement uh Implement

some kind of way to to post data back to yourself so one of the things you could do to uh to kind of extend this uh there's a really cool Powershell command called send mail message and I should clarify for some people are wondering why I'm uh keying on Powershell a lot it's because Powershell is just great uh if you're writing malware for Windows systems because you can run in memory and it gives you a lot of easy access to administrative functions and some of the things you'd be one you'd want to do send mail message is one of those commandlets that you really want to acquaint yourself with it allows you to send emails using the the Microsoft

Office Suite directly from the command line that makes things very easy for you because people are sending messages every single day uh they're probably not too rigorously inspected and you can use that as a means to exfiltrate data without regenerating traffic that that looks unusual and on top of that if you do some uh some Google some Google searching you're going to see there's a lot of Powershell scripts that are made to interface with a lot of common apis and a lot of common sites that you might want to get data from so it's not very hard if you want to make your own uh asymmetric malware to incorporate a lot of different vectors without doing too much work

so great we've introduced the concept of asymmetry you go one place where that place might send you somewhere else you have one place in mind and you also have a backup place that's different and you use different channels a good example of that was Zeus VM who's familiar with this piece of malware gcvm is a pretty cool banking Trojan there's a good piece by Jerome Segura on it it was a security researcher who noticed a strand of malware was pulling down a JPG on a server that we knew was hosting other malware components so a C2 server so there was malware on a computer and it went to this malicious domain name and it pulled

down a JPG and this was the image beautiful sunset right but as it turns out that actually had some data in it that just pointed to another domain so if you go to packitotal.com for example this is a sample that uses uh that that has Network traffic for a piece of malware that did pull down this image so who's who sort of packed a total before yeah it's a great resource so if you actually upload the uh the packet capture the two packet total.com that has this information you can see in the transferred file section the jpeg that was downloaded and then if you switch over to the HTTP tab you can see all sorts of different

hosts that were called as a result of that jpeg so Russian domain names Etc so that's an example of asymmetry right you pull down an image from one server why to get another server to go to a cloud provider to go anywhere else and blockchain is another really uh interesting use case for asymmetry and it's it's kind of scary how nasty it can be Bitcoin for example very little things you can do with Bitcoin right essentially you can just pay people and offer multi-sig uh verification for those payments but op return is one of the uh one of the calls you can make and that allows you to store some arbitrary data some metadata and this has been kind of a huge debate

in the Bitcoin Community whether people should be able to write their name on the blockchain or a birthday or something menial like that because it's adding to the overhead of transactions the blockchain gets longer but if you're putting arbitrary data on the blockchain what does that sound like to you everything on the blockchain is permanent you can't kill one C2 server and have the blockchain go away it's a network of miners that host it there's several different websites and more and more are growing that scan the blockchain that tell you every single transaction on it if you can piecemail different transactions with arbitrary data that form together to make a really nasty command or to Beacon out somewhere it's

very hard to stop you concatenate these you get the shell command that's just for Bitcoin and that was the dumbest cryptocurrency initially and here's an example this is a Twitter account I found I'm not sure how big it is it's only 203 followers but this one posts the human readable op return uh metadata information for recent transactions in the blockchain so this is just one that came up so if I put you know uh some encoded command on there how are you going to stop that it's very very difficult to stop ethereum is even more powerful in this regard ethereum is a touring complete language you can do whatever you want on ethereum so there's more places to store

information arbitrary data Etc so smart contracts their data fields you can put binary data that can be interpreted by malware and again it can serve as a C2 your C2 infrastructure is the blockchain you don't need necessarily a server anymore that you pay for and have it taken down when you have a decentralized server every single Miner is hosting your malware is hosting your C2 Channel this is dangerous ipv ipfs interplanetary file system leveraged by ethereum here's a medium article that discusses it at a high level you can have websites that are completely distributed websites that have no origin server websites that can run entirely on client-side browsers websites that do not have any servers to

talk to what does that sound like to you sounds like a really dangerous C2 opportunity it used to be centralized but now you have asymmetry but beyond asymmetry you have decentralized asymmetry so again it's a distributed file system you can address the content you want by a hash and it'll Traverse and it's version controlled so anything you want it's always going to be there any malicious code and who's going to take it down who's the admin who's the government that can take down something on the blockchain you can't right this is kind of the double-edged sword of transactions of the blockchain so attribution gets very hard if you send your initial payload from some random computer

and then it starts communicating back to the blockchain how are you gonna figure out who did that it's very difficult to do it's not like you know something you could subpoena and get network traffic from it's the blockchain so attribution is very hard with this kind of asymmetry as well now I'll talk about air gap systems so air gap systems are systems that are not connected to any other system or the internet there's a gap of air where a wire would be normally no communication it's a computer normally that has information you don't want anywhere near the internet or any other system it's easier to place malware on these systems than it is to get it get

information off of them so if I've if I'm in range of it on the same floor even I might be able to get a USB inside one of these or find a clever way to get it on there but how am I going to get data out of that right to do that you can think asymmetrically sounds this is kind of clever you guys remember those mosquito ringtones these these air gap systems have speakers speakers are a form of communication with the outside world if you have a recording device that can capture sounds that are inaudible you could Excel trade data from that air gap system so it's air gaps so long as there's no

there's still channels of communication with the outside world and air gap systems sounds are a really good example of that if it has a speaker it's not purely disconnected from the outside world and you can hear it across the hall too and I'll pass it over to Andrew to talk about refresh rate so every screen has a refresh rate which governs how often the the image on the screen is updated now some uh the computers all uh have refresh rates that run slightly differently but when you get uh to a high enough refresh rate the ones that are used on uh you know on most computers you're not actually going to notice a difference in normal operation

between uh small differences uh between uh between small shifts and refresh rate but these differences would be noticeable to a camera that is recording it and has a very high refresh rate so take nerd command uh you may be familiar with nerd command because it's used by a lot of system administrators to uh do a lot of different functions when it comes to changing settings on a machine well nerd command gives us a really cool uh setting called set display set display gives us a lot of different options but you can see right towards the edge that you can set the refresh rate so malware could ostensibly use this code and shift a refresh rate very slightly not to so

much that it would be uh notable noticeable to someone who's watching the screen if you can modulate even only between two different frequencies then you can create a binary Channel and a camera that's able to record the screen could pull this and they could use the the differences as a way to uh to send and receive information so one of the things we wanted to specifically highlight is uh Bluetooth because we're seeing more and more uh Bluetooth and Bluetooth enabled devices so Bluetooth does run the problem that you do need to be fairly close to a particular machine but the particular range is definitely going to vary especially because uh Bluetooth isn't the only culprit and as we're seeing uh

more and more of these small embedded devices uh start to show up we're going to see systems that not only have Bluetooth antennas but they also support zigbee and other common uh ways of interfacing with these uh with these different devices and the problem is that they all work really well as a way to send data without a network connection so one of the things we particularly want to emphasize is that uh despite the popularity of bring your own device policies where employees can bring their uh devices from home and use them to uh for work they shouldn't mix with air gapped systems if there can be a device that is potentially attacker controlled within

range of a system that you want totally isolated then you can't consider that system to be totally isolated it's an asymmetric Channel and it's definitely more complex but it's one that attackers will recognize and start exploiting so if you want a system to be truly air gapped then you're going to have to start implementing more stringent policies about what devices are allowed near it as well as potentially looking into uh more uh Advanced options like actually shielding rooms that contain air gap systems now you may think that stopping Bluetooth is fairly easy but it may be a bit more challenging than You're Expecting so a lot of systems nowadays have a chip that looks exactly like that that chip

is a standard Wi-Fi chip but it also has Bluetooth capability so it's not as easy as pulling a specific module out of a computer or not allowing USB antennas or something like that to block Bluetooth in most systems if assuming you need Wi-Fi which is a you know very common you're going to need uh you're going to need to implement software based restrictions and now as uh as most administrators and Defenders are aware when you have to go to the software level in order to defend something things start to get tricky because inevitably exceptions are made or policies aren't applied correctly and attackers will find those they will recognize those and they will leverage those

likewise you may be thinking that if you have bluetooth on a system or another antenna like this that you could set up some synchronous communication and that's definitely true but synchronous communication through one of these channels would probably be both very challenging and uh very uh very noisy after a while so uh if you want a truly uh covert type of malware you're not going to be using something like Bluetooth as a synchronous Channel so let's talk about iot the internet of things so the Internet of Things is incredibly popular and we're starting to see uh that the Internet of Things uh idea and mentality is affecting organizations right we're starting to see organizations incorporate uh smart

coffee makers and smart light bulbs and smart meters and smart printers that have a host of sensors and you can not only configure locally either over the Internet or with Bluetooth but you can also query from some remote place they offer apis that way people can configure these devices from very far away the most interesting iot devices to us are the ones that have both Bluetooth and Wi-Fi capability as well as the ability to check or manage them over a remote API so what an attacker can do is something truly crafty they can use a Bluetooth channel from an infected device to set a value on these Internet of Things devices they can then query that value from a remote

API from a different uh from a different place and they can use these uh these settings that they can configure as a means of data exfiltration take a smart light bulb for an example which usually allows you to change uh to a whole host of colors a color is represented as an RGB value which is really just three bytes while it's not particularly efficient an attacker could use Bluetooth to rapidly change these three bytes and then query those bytes from the remote API that makes uh for a really cool opportunity because there's no there's no direct link between the attacker and the data that they're stealing moreover even if a Defender recognizes that all of a sudden an Internet of Things device

is querying being queried rapidly or being set rapidly they don't immediately know which system is doing it because from what we've seen Bluetooth isn't really a monitored channel in most organizations so they're going to be completely blind to that until they start to implement and get new hardware and software to kind of find these things moreover like we were talking about before with air gap systems iot the solution is not just make a new Wi-Fi network because the device doesn't have to be on the same network if you can communicate over Bluetooth or something or something similar and it's not just a matter of putting them in different rooms when things like Bluetooth low energy has a 100 meter

range especially you know in the great city of New York City a hundred meters can be an entirely different building so it's not it's not just a matter of securing a particular section of your your organization so let's look at a case study so let's uh let's consider an opportunity where an organization is fairly secure but Falls victim uh to a more advanced malware that implements uh some asymmetric tactics so let's let's consider the super secure organization so like a lot of modern workplaces everything the employees are doing on their computers is monitored and also a lot like a lot of companies that we see they allow BYOD and they're smart and they don't want to put those devices

on the same network as their the rest of the corporate devices so they Implement a Wi-Fi network specifically for them and they have entirely separate hardware for the BYOD to access the internet like uh like we see a lot that they they Implement one of these uh site categorization tools and they only allow employees to visit pre-approved domains ones that they're sure are both business relevant and uh and are going to be generally safe to get even more insight from Network appliances uh they use https decryption at the the egress and Ingress points so even if something is happening over SSL they can actually take a look into that and they can use their indicators of

compromise against that kind of traffic so if you're a normal red teamer this would probably be the workflow that you would uh that you would go about so you would go and you would set up a C2 server and you'd probably put a an SSL certificate on there so you're not uh you're not gonna be detected immediately and let's give the standard attacker the benefit of the doubt and through social engineering and some magic they do get some code to run on a victim's machine eventually the defender is going to see these attempted connections to a new domain right since they have SSL decryption they're going to be able to decrypt that traffic and they're going

to see Powershell commands this of course is going to set off many alarms people will be woken up in the middle of the night and the Defenders will quickly work to identify What machines have been infected with this and work to remediate as soon as possible and the attacker is going to be left disappointed because they didn't get domain admin and writing a impressive sounding report is going to be very challenging so let's consider an asymmetric attacker the Acer metric attacker isn't going to go set up some c2s but rather they're going to identify some blogs some news sites and some other places that are probably already being used by a lot of the organizations right

if most organizations have a marketing department nowadays and that marketing department is heavily involved on heavily involved on social media so they might identify that as a as a particular way to host commands through a little bit of social engineering and some research and a symmetric attacker can likely identify what kind of cloud storage or uh providers are being used uh in the environment and start to start to tailor malware for that so they're going to write malware to get commands from say the most recent comments on a Blog uh and they're gonna like we were talking about before use a string that changes daily so there's uh there's not a one static indicator anywhere

once they've identified who they want to infect they're going to start uh encrypting their commands with AES and using say the machine name as a key because that's uh that's not going to be something that's going to be changing very quickly and a quick shout out to check please for making that so easy the asymmetric attacker is going to win in this scenario right Defenders are going to see traffic and since they have SSL decryption they're going to be able to see the the plain text traffic but they're only going to see victims talking to known Goods servers right even if they do start to key in that there's something going on in their environment they're not going to see any

indicators right away that directly identify who the attacker is making this more complicated assuming the asymmetric attacker did some research they can't just resolve this by blocking certain websites this is a much more challenging malware to defeat so now we're going to talk about defending against this and honestly our core recommendation here is to block traffic to to popular websites so that includes Twitter Reddit I'm very serious this is not funny ESPN comment section if it allows comments you can't allow your employees to go there it's quoting Bora it's still funny I hope so but honestly there's not really a good uh measure against this is is the issue so a lot of times it's going through

popular websites that I just mentioned popular blog posts you can't block that but you can try especially when they're going through several different ones not just one you can do your best we'll give you some recommendations while you can't restrict traffic on client you know workstations servers are a little bit easier to do this for why is someone going to reddit.com or whatever website newyorktimes.org.com.org from a server they shouldn't be servers most of the time are not internet accessible which is a good start but you can Implement really strict controls on those at least and servers host the most valuable data in most instances watching your behavior um it might be a very popular website but

if a specific user doesn't go to that website ever then it doesn't matter that it's a popular website it's not a popular website to that person so if you have some good capabilities to recognize behavioral patterns then shifts and frequency will be telling it's unusual that they started going to this site over this site all of a sudden and with such frequency and finally SSL decryption does go a long way it's tough to implement in a lot of cases but if you're able to get visibility into all the traffic and you have a good mechanism you know AI machine learning to analyze that traffic you'll be in a better place to protect against one of

the hardest attacks there is to defend against yeah so normal traffic to websites when decrypted will look different than strange traffic to these popular websites when decrypted and that's it I'm Brandon arvanagi it's my Twitter and this is Andrew Johnston it's his key base so if you have any questions we're happy to take them thank you [Applause]

I was like sure so uh I don't I don't think either of us are familiar with the the accuracies off the top of our head and as you can imagine like most things in machine learning this is a active area of research uh for for a quick plug I'm sure if uh the if you look at some of the FireEye documents they'll they'll have some great case studies on how they've implemented these types of solutions and uh how they uh they work to uh to both identify malware and to do so with uh with great accuracy even uh in the face of things like obstructation

for that so the challenging thing there's a lot of different ways to interact with the blockchain and again a lot of these are just going to be over 443 traffic uh sites that enumerate different transactions reading from the blockchain is very easy to do writing to it can be a little bit more challenging but if we're talking about getting commands they're always going to be there forever for everyone so reading simple uh writing can be a little bit more challenging yes

yep

so if these if these servers are actually hosted in the cloud is that the I they're hosted in the cloud then uh I mean it depends on what the cloud service provider is doing a lot of them won't allow arbitrary access to other systems that they don't need to be you have isolated clouds you have public clouds so it all depends on what you're going for if it's a server that needs to talk to the clients then it's going to be internet accessible obviously yeah yes

okay so to someone uh you're saying there's similar

yeah so that's a good point the major part of asymmetry though is that we we can't we won't rely on simply one server in the first place so we might have another Vector like the Wi-Fi or the Bluetooth or something like that so if you block that one Avenue it's a eight-headed monster and we talked about decentralized uh c2s as well which are even more difficult

well it depends it it depends if you if you're well it depends if you're concatenating payloads if you have a pseudo-random number generator it can vary based on the uh based on the source of the asymmetry based on where you're pulling the data from yeah so yeah so what we've seen uh as as red teamers is that oftentimes it's very uh it's fairly simple to get code execution on one machine so in terms of getting a payload onto a client that's uh that's not really a concern there's a lot of different ways that that people can do that the challenge really becomes how you maintain that payload right if the payload isn't caught when it's first

deployed then it's really just a it's a part it's all about endurance so with an asymmetric malware where you're spread across multiple channels uh it's going to be a lot harder to detect sure there's still traffic that's receiving commands and sending data back but when it's spread out across a number of different servers or applications it's not going to be as easy as looking for a single weird IP address or domain name and uh oftentimes we see that Defenders are looking for those kind of indicators looking for new domains or in categorized domains and we're trying to argue that that's not going to be uh that's not an assumption that you need to you can make anymore with this new

Advanced malware

so asymmetry is oh my God yeah there we go yeah so asymmetry is definitely uh it's a it's very it's very successful when it's deployed uh in terms of for an attacker the challenge becomes identifying what kind of traffic looks normal for a business if uh people aren't regularly communicating uh with a specific cloud storage provider and your malware really hinges on that that's not uh that's not really something that's going to work very well so what a what an attacker needs to do is uh take a profile of the environment that uh that they're operating in and uh you know potentially do some really good ocean to try to uh identify what kind of

systems they need to do and then write custom malware right the uh using uh these Cobalt strike and interpreter and Powershell Empire they're great but they're very much uh you know kind of cookie cutter and uh we're going to see more malware that is a tailored to the environment and likewise uh red teamers and then the good guys have to start doing the same thing and making more tailored malware because that's what we're going to see the bad guys doing

so for Bluetooth in particular yes that's that's the uh the maximum distance so you are going to have uh some some trouble with interference and uh with things like concrete but also in the city you have the the converse which is a very dense population so even if it's not 100 meters even if it's only 25 meters that may be a different building uh in a shared workspace that may be a different office so uh it's it's still very challenging uh looking at protocols like zigbee uh which actually use a Mesh networking concept and uh information is relayed until it reaches its destination the uh the actual range could be a lot longer

so there's a tool uh called rubber ducky and essentially what it does is it looks like a USB drive but it emulates a keyboard and so anything that can be done from a user perspective can then be done via the rubber ducky

yes yes do you notice that we wrote our own website today as a white yeah and yeah and definitely it probably depends on uh on the website in the terms of service but yeah we don't recommend going to all of your social media sites and start using them as a C2 I'm not advocating for that no one's advocating for that

okay I'm having a little trouble hearing you I'm happy I think we're writing I think we're going to talk to us after that yeah so we are out of time yep all right if you have any more questions just find them [Applause] foreign