HTTP Statuses as C2 Commands and Compromised TLS
Offered By: Hack In The Box Security Conference via YouTube
Course Description
Overview
Syllabus
Intro
The plan
How it all started
Why another trojan? - Keylogging? May be too loud - Decrypting? May be not in reasonable time with current TLS Certificates pre-installation? Could facilitate MITM, but what about NAT?
"Client hello" field
PRNG to mark it
Chrome and Firefox To patch browsers' PRNG functions in memory and TLS handshake developers have to analyze Firefox sources Chrome binaries
Silently marked
Why on the fly? Once our telemetry shows new URLs and that time installers were available on the warez web-site
Infection chain
C2 communications HTTP statuses 422-429 (IETF RFC 7231, 6585, 4918) are the async commands from C2
Encryption
Some math inside
To do or to use? Don't reinvent the wheel just realign it.
It you decide to do In config: version, target ID, URL. Almost certainly constructed with builder
Second way pros Knowledge separation
First way pros Speed for the first sample
Taught by
Hack In The Box Security Conference
Related Courses
Browser Hacking With ANGLEHack In The Box Security Conference via YouTube Can A Fuzzer Match A Human
Hack In The Box Security Conference via YouTube Biometrics System Hacking in the Age of the Smart Vehicle
Hack In The Box Security Conference via YouTube ICEFALL - Revisiting A Decade Of OT Insecure-By-Design Practices
Hack In The Box Security Conference via YouTube Fuzzing the MCU of Connected Vehicles for Security and Safety
Hack In The Box Security Conference via YouTube