HTTP Statuses as C2 Commands and Compromised TLS

Explore advanced malware techniques and innovative command and control methods in this Hack In The Box Security Conference talk. Delve into the analysis of COMPFun malware, examining its evolution from 2014 to 2019. Learn about the malware's ability to compromise TLS-encrypted communications in HTTPS, its use of rare HTTP statuses as commands, and its sophisticated injection methods. Discover how the malware manipulates system PRNG functions to mark and distinguish target traffic, even after NAT routing. Investigate the malware's spreading capabilities through USB devices and its potential for air-gap breaches. Gain insights into the creative and persistent nature of COMPFun developers, and understand the challenges faced by security researchers in analyzing such advanced threats.

Intro
The plan
How it all started
Why another trojan? - Keylogging? May be too loud - Decrypting? May be not in reasonable time with current TLS Certificates pre-installation? Could facilitate MITM, but what about NAT?
"Client hello" field
PRNG to mark it
Chrome and Firefox To patch browsers' PRNG functions in memory and TLS handshake developers have to analyze Firefox sources Chrome binaries
Silently marked
Why on the fly? Once our telemetry shows new URLs and that time installers were available on the warez web-site
Infection chain
C2 communications HTTP statuses 422-429 (IETF RFC 7231, 6585, 4918) are the async commands from C2
Encryption
Some math inside
To do or to use? Don't reinvent the wheel just realign it.
It you decide to do In config: version, target ID, URL. Almost certainly constructed with builder
Second way pros Knowledge separation
First way pros Speed for the first sample