Offensive Malware Analysis - Dissecting OSX/FruitFly via a Custom C&C Server

Explore the intricacies of offensive malware analysis in this 24-minute Black Hat conference talk. Dive into the process of dissecting OSX/FruitFly malware through the creation of a custom command and control (C&C) server. Learn how this approach can expedite analysis for malware analysts and potentially allow for hijacking infected hosts. Discover the benefits and techniques of creating a custom C&C server for someone else's malware. Examine the FruitFly variant B, including triaging the script, decoding subroutines, and understanding the main processing loop. Gain insights into network, file, and process monitoring, as well as mouse and keyboard sniffing. Follow the step-by-step process of building a custom C server, handling malware connections, tasking, and command responses. Investigate primary C servers, victim identification, and communication protocols. Conclude with practical advice on protecting yourself from such threats.

Introduction
Overview
Goal
FruitFly
Variant B
Triaging the Script
Subroutines
Decoding
Main Processing Loop
Basic Protocol
What to Monitor
Network Monitoring
File Monitoring
Process Monitoring
Mouse and Keyboard sniffer
Building our custom C server
What does malware do when it connects
Tasking and handling command responses
Command 2 triage
Communication is key
Fully compatible
Primary C servers
Victim identification
Wrapping up
How can you protect yourself