 Welcome to our talk, everything is as it should if you are brave enough, by Luis Angel Ramirez Mendoza and Mauro Eldridge from DC5411. Okay, before we start, I would like to make a brief introduction about ourselves, the speakers, and about the topic of this talk, which is a rather crazy one. Also, I would like to take this chance to say that we are really happy to be here at the Adversary Village, and that I really hope that you enjoy this talk as much as we have enjoyed making it. This was a really crazy thing for us. I'm Mauro Eldridge, I'm from Argentina. I am the founder of DCA and DC5411, the DEF CON group that comprehends Argentina and Uruguay. I spoke at different conferences before, including DEF CON a couple of times, and other conferences around the world including Russia, Brazil, Colombia, Iran, Spain, India, Pakistan, Panama, Peru, and there are more to come. My co-speaker today is Luis Angel Ramirez Mendoza, and he's going to introduce himself now. Thank you Mauro. Hello everyone. My name is Luis Angel Ramirez Mendoza. I'm working on the hardware security engineering at Birmingham Cyber Art and member group DC5411. The speaker at different conferences includes DCON, Visayino Castle, Yaskin India, Visayislaman Pakistan, Trago in Yarkolombia, CREI USA, Jónico España, POSCON, Iran, and Coesí, Peru. Thanks Luis. So the topic of this talk, as I said before, is a rather crazy one. We are going to try to demonstrate the most crazy, unexpected, and you might call it interesting too, ways of setting up a situ server. We're going to use different platforms, different online profiles, certain streaming platforms, gaming platforms, and even video games to try to build a situ server. So, let me explain this. We try to make this talk as friendly as possible to every public, so we will explain from scratch all this topic. The construction and how to use a basic situ server. And we're going to mutate the server to use different applications that are common to almost everyone here. So, the point is that we will part from a really basic situ server and we'll try to expand it to use different platforms. For this, we have created a fake, a toy ramp server, which we'll try to go home to link some information to coordinate an attack. This is an encryption operation, which we will see in a few that is not as dangerous as it seems. And it will try to use the most crazy and unexpected ways to carry out these actions, to communicate these actions. Just as a disclaimer, both the ramps on guard and the situ samples here are unable to deal any kind of damage to their targets. They have been built for educational purposes only and they can't deal any damage at all, not even accidentally. These artifacts are not to be considered real world samples, they are merely illustrative. So, some features that may be present on large scale real world tools or samples will be missing here. They won't be something implemented. We haven't been involved in any kind of illegal activity and it will be really hard to do so with these samples. So, let's start with the introduction. Let's take a first glance at a basic situ that we had built. And from now on, if you have never seen or if you have no idea of how a situ works, you will have the really basic knowledge to know what we are talking about. And then this talk will go on more bizarre ways and we'll start seeing some crazy things from now on. So, the obvious question here is, what is a situ server? situ stands for common and control server. It's a server controlled by a bad actor, an attacker, which is used mostly to coordinate and distribute orders to infected systems. These orders can carry out information leak, lateral movement, encryption operations and almost anything that you can picture in your head. This traffic, which is sent from an infected system to the common and control server tends to be hidden, tends to try to blend itself among normal applications or among other kind of traffic to disguise itself because otherwise it will be really easy to identify it, to tag it and to block it. Now, there are different connection models which won't be discussed here because we are trying to build something really basic just to give an example, but there's not a single way on how the situ servers behave. So, for our example, we set up, as I said before, a really basic situ server and client which should be able to do the following. To register a new victim, this is to identify correctly a new victim. To generate and share an encryption key in order to encrypt this victim. Actually, this key won't be a real encryption key, it will be a public SSH key, which with the help of OpenSSL you can use to encrypt files and different things, but this is out of scope, we are not going to encrypt anything actually. It will then try to leak information from the target and then encrypt the target's file system, which is the final objective of this malware, but actually we are not going to encrypt anything, as I said before. We will only leave a ransom note on the desktop asking for a payment. And something that we are not going to do yet is to disguise the traffic of this situ server using another well-known application or service or platform. Not yet, as I said before. So, it's crime time. To make things funnier and to try to stick more to the real world, we will impersonate a new ransomware gang. We are going to be the capybara gang dedicated to stealing capybara coins from unsuspecting victims. Our ransom notes will ask for payment in capybara coins exclusively. Capybara's art is friendly and nice-looking lads that you can see in this picture and are common to Brazil, Uruguay and Argentina. So, a curious piece of information is that the capybara coins are something real. They are actually fiat currency that are our official currency in Uruguay. And they feature one of these lovely lads. Obviously, that's enough and a valid reason to want all of them. So, back to the technical field. Our server will use Ruby and Sinatra for establishing an API. Something that I must clarify here is that interpreter languages are not something common. And I risk to say that I don't think they are used at all on this kind of software, on this kind of malware. But it will be way more understandable to use these than any other language for this talk, believe me. We prefer to use Ruby because it may help us in building something minimal, a minimal artifact. And the language is quite understandable for almost anybody. So, we decided to stick to this rather than sticking to C or to any other language. So, let me explain the code really quick. We require common libraries like Sinatra and Colorize in order to be able to output colorate output. The rest, Net, HTTP and URI are part of the Ruby core. So, we define a password for our situ server because we don't want anybody snooping around and stealing our complex situ server. We define some real basic endpoints addressing the previously stated needs. How to reserve and assign an ID to HVIC team, how to generate a key payer for each of them, asking to leak specific information from the host. In this case, it will only leak an IP address and a port, like sort of a connection string in order to get back from the server to the client. And actually, we are going to give an encrypt endpoint in order to notify that we are going to start encryption operations on a given client. Again, this is not going to encrypt anything. And we have a last endpoint which will allow us to connect remotely to the compromised host. Obviously, using the information leaked before, the connection string that I mentioned, we are going to query the telemetry endpoint and issue a keystone command. In this case, we only have the encrypt command, nothing else. And obviously, this will require a password because we don't want anybody stealing our precious situ server. The client, it's pretty simple again. It will query the server endpoints in order to do everything that we have mentioned before, to register itself, to get a victim ID, to get a victim key, encryption key. Also leaking the compromised host IP address and port in order to create this connection string that the server needs. And then, after running all this routine, it will place a ransom note once the server issues the encryption command. Now, let's see how things turn out. And then, once you have this base and that you have a good understanding of what we are going to keep here, we are going to move to the wacky or not so orthodox methods. So let's start with the demo. Okay, as you can see here, we have three different terminals. The one on the upper left is the situ server. It's going to run the capybara server. This other terminal will send the crypt command once that we have everything set and ready to go. And the lower one is a Docker container which, as it says here, it's the victim. So we will basically run the server, run the client on the victim side. The client will register itself. And then, when everything seems nice and smooth, we are going to send the crypt command from this terminal. Let's make it roll. So it started on the 4567 port. We are going to launch the client on the victim. Wait, oh, okay. Now it should connect. The exchange should happen real fast here. Well, as you can see, it already happened. And it's already waiting, as you can see, for some input. The victim was generated. We have generated the key pair. We have leaked the connection string, the house name and the connection string. In this case, it's a Docker container, as I said before. It will start running a listener on this port, 1337, which is stated here in the connection string. And it will wait for the input. Now we are going to send the crypt command. We are just going to make that CUR roll. We are going to make a post, order encryption and password adversary, as it says there. This should be enough to start the encryption operation. Okay, it's done. Send in the encrypt order to all. Affirmating to encrypt this victim. Fetching the endpoint. And now if we go to the desktop, we should have a creepy ransom note. If everything went smooth. Yeah, it's there. Now, what are these crooks up to? What do they want from us? Ah, I knew it from the start. They want our Capybara coins. Okay, that's how the basic C2 interaction works. Now that you have seen how it behaves, we are going to move on to the not so orthodox methods. Remember, this is a basic diagram once again of what we have done so far. We have the client, which is the victim, the server, and the remote activator that can reside inside the server itself if you want to. So, let's move on to the fun part now. The walkie clients. How to hide C2 traffic in the most unexpected, walkie, crazy ways that you can ever picture. So what's next? So far, our C2 is able to do a couple of things. Register a new victim. That's done. Check. Share an encryption key. Check. Look information from the target. Check. Encrypt. Quoted. The target's file system. Check. And now we have something pending. We have to disguise our traffic using some well-known applications, platforms, or service. So, let's start doing that. Thank you, Mauro. You too, client. Have you ever seen to a real YouTube channel fail with nothing video of about five seconds? Some of the art calibration or testing video channel under the field by all dimensions tool. And sample with right torso and favorable semicircle. This was the original inspiration for this talk. Why not rely on it or the naming calibration task for orchestrating or attack? Using YouTube free APA, we decide to create feed video name after the minimum city of common. Execute star. Get keep. Lead info. Crit. Execute. End. Be content. Not in the same frozen frame. For how and meaning. We online care for the title. Nothing else. No, the quotation except for get keep for reason. The claim with look to the video. Which were pro played order. And it's a key order. When the Thailand mass and specific a panda. The system video can be reviewed. A new video on put it is silly via YouTube APA. This can be do. Minimal, affordable and for free. So let's see how things turn out here. And obviously if you like this video, don't forget to like and subscribe to our channel. Give me a second. Okay. As you can see, we have here. This is another Docker container. It won't be low. This is our channel, which is crowded with subscribers and a lot of people who are interested in our things. That's why we have so much visits on our videos. And I apologize for the interface being in Spanish. So let's start. We will show that the root and desktop folders are empty. That's our channel ID, which is what we query via the API. We have the different videos that mean different orders. They are in reverse order here. We are going to send a client. It found the channel. It found the videos. It already has access to read the titles. That's all it needs. It doesn't need to watch the videos. It doesn't need to do anything else. It only ask for each one of these videos titled and the description only when it needs the SSH key here, which is on the get key video. That's right. There it is. It will take this description field and use it as a real encryption key. Now, let's see what these groups are up to. They have, once again, hackabots. Okay. So that's it for the YouTube client. This is a summary of how it works. It's quite simple. Remember that all of these samples will be available at GitHub after the talk. So don't worry about it if you want to test them. The only thing is that you will have to issue your own API keys, but that's not a problem. It's pretty easy to do. So now let's move on to another client, the Spotify client. I think almost all of us know Spotify. We have been using their platform free API to craft a special playlist that you can see here. The official Capybarra Gang playlist. The title of this playlist is quite fishy, quite suspicious, but this hasn't been banned so far, so we're going to leave it as is. It's composed of four different sections. The first one is the wake word hits. The second one is a dash separated IP address for the situ server. And the third and fourth are pieces of the encryption key. You might ask, why are you storing them there? Well, the description box contains the rest of the key, but it seems split it due to the length limitations that it has, that the field has. So we have to resort to this creative way of doing things, which in turn seems to be a little bit messy, but it works. The playlist is made up of different songs, obviously, but the important thing about these songs is their title. Their titles verbally represent one of the comments to be executed. Here we have added a couple of new comments because this is a newer client that had been a little bit further developed. So a lie from Love and Rockets is the sequence start. Fixed from the Sisters of Mercy is the command to fix the key, to start exchanging the keys and to reassemble the key. Bet and switch from KMFDM is leak information. Thang from Jogo Kano and the sitbelts is a start encryption or start the attack. Adios from KMFDM, it's sequence end. Then we have added this as a special case. I started something that I could finish from the smiths, actually means that we have interrupted jobs. And a slip from the smiths once again is wait. These comments were briefly implemented for having mine special needs from other users. So this is how the playlist will look. Take a look at this. So alive will be reflected here, sequence start. I started something I couldn't finish. We'll say warning, some previous jobs were interrupted. Fixed will try to recover the key. Thang will start the encryption cycle. And adios, which means goodbye in Spanish, will be the sequence end. So let's move on to the demo in order to see this in action because it may seem a little bit crazy now, but it's quite simple. Ah, before I forget. As with the YouTube client, these songs can be added and removed really easy using the platform's API. This goes minimal forth. It's really fast and free. So let's see now how things turn out and if you like our musical taste join the official Capybara Gang playlist. Okay. Again, we have the container. You know, the Docker container, which is going to be the eternal victim. We have this playlist with these eight songs. Let's see how they behave. It has already found our user and everything went really fast and smooth. We have found the tainted playlist. First, we started reading the comments so we're live. The C2 is recovered from the playlist title. The key is recovered from the title too. There are some unfinished jobs here, some interrupted jobs. FIX have already recovered the key and it looks to be good. Remember that it's splitted on three parts. Now, okay, this is from the description field. Now, don't have information to leak. Remember, this is a dummy comment. We started the encryption cycle, which will only leave this note. Two shadows is another comment that had been dropped from John Lofts-Jessebel, which will try to delete shadow copies. A slip will wait and Adios will send, obviously, a sequence send. Now, what happens if I delete two shadows as a slip and I started something from Morisei? This is to show that this happens in real-time. The client will read the comments in real-time. As you can see now, there are no interrupted jobs. Nobody is waiting for anything. And also, we don't have the shadow delete command, the two shadows sung. Now, oh no, we have this strange file here and somebody is asking for capybara coins. Oh man. Okay, I think it's time to move on to another client. So, this is the final summary. As you can see, different songs mean different comments. So, it's worth to give it a try. Now, let's move to the next one. Wikipedia client. You can use Wikimedia's free API to query any article on Wikipedia or being real here any other Wikimedia instance. After you register your user, it is possible to edit its profile page and add almost anything that you can imagine. And once generated, this is a special entry which is considered to be an article and can be queried via API. It will have the form of user and your username. So, as we don't want to disturb a project like Wikipedia, we have only edited my own profile and we have only done one API query to read it once. So, there won't be a live demonstration of this client. Also, we did try to discourage any user to start using Wikipedia to make testings. As you can see, that's my own page. You have sequence start, let me tell you a secret. What's up? Do it and sequence end. Then we have a special client which will connect to the Wikipedia's API, will fetch a specific tainted user, which in this case is mine. They will try to recover the comments from the page and parse them. We have sequence start, we have received the key, there's some information to link from our site, start an encryption cycle, and receive a sequence end. That's it. Again, this page has been reverted as it's my own profile on Wikipedia. And we try to encourage if you want to test this to raise your own Wikimedia server, it's quite easy to do it via Docker or via virtual instance or whatever you want. But it's worth to give it a try on a private instance. So, the next one, here is when we start doing some way tracer things. We say, why not try World of Warcraft or any other role game? And we say, okay, why not give it a try? We are using Trinity Core, which is an awesome project, an awesome project, which is a private World of Warcraft server emulator, which you can use to easily create your own situ instance. Now you might say, wait, how are you going to use this game maliciously? And as you can see on the picture on the right, it's something that you can ask, but you know the answer, we have done it. After creating a character, the player can build any Houston macros and also run minified Lua scripts. But bear in mind that the bundled Lua version of World of Warcraft does not provide access to certain core functions, like operating system operations or networking operations. So you will be more or less caged inside the game. So this may be something that we can still use in our favor, as you can see now. These macros and scripts can roast almost anything that you can do with your keyboard and mouse, almost. I can say for sure if it can run everything, but so far it was able to do everything we needed. So we could easily automate the flow of our situ routine in a very friendly and a very easy way. So we have created the Capybara macro that you can see on the right with that cute paw. But it will only click certain buttons. We can make it click on an action bar, an action button, but this is the question. What do we want to do with those buttons? So we started figuring out how we could start building short functions, because as you can see on the lower part of the screenshot to the right, we have used 126 characters out of 255, which is pretty short, pretty short to build something on a comfortable way. So we have to rely on a lot of creativity here in order to do minimalistic things, which will be tied together. So after a little research and a lot of tampering, we have been able to create our level 14 hacker, which is ready to claim back Warzone Gulch or take part in a ride. As you can see, this is the hacker's tool bar, the hacker's skills. And now you might say, but how are you going to distribute these commands or these skills? Luckily, and this is some old information, but we have discovered it did just a few days ago, Trinity Core provides a way of logging all of our chat inside the server, all the chat that goes on the server during each server session. So using the chat function seemed like a nice idea and the right way to do things. Now we say, okay, we have the chats, we have them recorded on a file, but now we need to distribute them. We need to filter them. We don't want any player saying, okay, send this command there, send this command here. So we need to have a way to filter all of this and publish all of this. As you can see in this screenshot, we were able to pipe our chats to a file and we were tailing that file inside Unix. So far, so good, but this isn't going anywhere still. Yet, we are not going anywhere with this. So we have the chat, I was able to parse them, I was able to filter them only by Drake, my player, which is in no way a reference to Francis Drake the pirate. And we say, okay, now we have to pipe that very same file, that log file somewhere. We have to publish them over the network. So the next point is to distribute the chat messages with Sinatra. That's it, eight lines of code and we can do it in way less, I think, but we wanted to keep the code as friendly as possible. We are only going to read the last 10 entries from the chat log every time somebody requests that endpoint. I know this is not the best way to do things. We can also stream the file, but this will do for now. So now, let's start the demo and let's participate in a ride. This will be a little bit longer than the other videos. Give me a second. Oh, okay. Now, let me pause here. We are on somewhere around Westfall here. We have three terminals here. We have the first one, which is C2. I have made it a little bit smaller because this is really a really crowded window. We have the chat log monitor here, which will be tailing the chat log file and obviously the internal victim. This poor Docker container, which will receive again all the hits. We have our macros here and our action bar. Let's roll. Okay, we'll start by turning on the Capybara server. Okay, awaiting connections. Now we're going to tail the file constantly so everything will be streamed here. Okay, these are the dots that I sent to the file before. And the victim will wait for a couple of seconds now. This is the Capybara Ramsung RC2, which will click sequentially on all of these little macros or Lua scripts that are laying around here. We have the encrypt, get key, leaking fault, reroll key, reroll server if available, sequence end, sequence start and set key. So now, this will happen real quick. Take a look at the chat window. Once I click here, the window will be crowded automatically. Okay, now this is already piped there. The client will look only for things that Drake saved. Now the client will connect to the server. The server will stream the file or actually takes a couple of lines. Boom, this already happened as we were talking. The Docker container connected. The host won't be enrolled. That's something that we have clarified before. This is just a dummy function. And your files are encrypted. Ramsung node is once again present. I think we should consider a cyber insurance company right now. Okay, that's enough. And wait, I shouldn't go so fast. Yeah, that should do. So let's move on. The same client. This is by far the trickiest one. We weren't really able to do a lot of things with Steam's API, which turned out to be really restrictive. Almost to the point on thinking that we should leave that behind and use another thing. But luckily we found a workaround. We decided on using the player profile page as a starting point because the API wasn't leaving us anywhere. So once we jumped into using this profile page, we found that we don't have a lot of fields, a lot of space to store things like a key or a situ address. So we started once again thinking on a possible workaround for this. And we found that the optional field real name could be handy on this case. As you can see here, this is quite a strange real name. I can tell you for sure that in Argentina we don't use so complicated names. So you are okay if you think that this is something fishy. As I say, pretty strange name, right? So the content of this field actually represents two different pastes on Pastebin. The first contains the situ address and the second one contains the key. Now by reading the player profile via API, we have no information to start. But how do we issue commands? We are out of space. We don't have a lot of things to modify here. And using commands here will be something pretty hard to implement. So we decided to support two different modes on this client. Games and friends. By using the games mode, the situ administrator can map a list of games owned by that account, by the profile we are using. We can map those games to a list of situ commands. Each game can represent a command and can be listed and delisted from the profile at will. But this is not an easy process, let me tell you. By using the friends mode, the situ administrator can map this list of friends to a list of commands. Now each friend becomes a possible situ command. Again, friends can be removed and added at will. But, again, we discourage the use of this one specifically since both modes are not easily maintainable and minecoring bands seem pretty restricted with bands, at least on us. So creating multiple accounts or using this for experimenting can turn your account into something unusable, so take care of it. As you can see, we have here a list of my friends, which are not quite a lot actually. So I map each one of them. You can see this in line 41, which is commented. Each one is mapped to a command. We start reading things and you can see that it says, okay, I found a place to be include this one. I'm searching for the encryption key there and I found it. Now, I have found another place to be include. I'm searching for the situ IP there. I found it and then it's trying to start the routine. Let's see how the games mode work. Where Hammer seems to be the sequence start, Lego set key, Kingdom rush, Lake info, Dark extension script start, and another Warhammer is sequence end. This will be exactly the same behavior. It will start to look for the IP address, an encryption key on basement, but we'll use the games as a list of commands. Now, the problem is that certain games are paid, so it now supports free games too. But again, Steam APIs is a little bit restrictive, so you have to explicitly ask for listing free games. So as you may see, this is the most wacky one so far. Let's see a demo about it. Give me a second once again. Okay, this is my profile, the basements. As you can see, one contains the key, the other one contains the plain IP address, which are listed as my real name. Don't judge me by the games I play, please. Now we're going to start using the method friends. We'll start reading the commands. Again, this is the placement. This is the other placement. And it will help place it already the ransom note. Let me check. Yeah, it did. Oh man, not these guys again. So this was the last client we have to show today. And sadly, it's time to go. We are really happy to be here today at the Adversity Village. And we have really enjoyed doing this talk, creating this talk and researching these crazy topics. And we really hope that you have enjoyed it too. So let's jump to the conclusions and the Q&A. Our conclusions are simple. These examples do not pose a real world danger, but they can easily be used to be able to do so with a little bit of tweaking. When talking about traffic, never assume what might seem to be normal traffic to encyclopedias or streaming services could be hiding something else. Sometimes on plain sight, sometimes a little bit more complex, like more cryptic way, like the Spotify client I show with you. And if you want to build a nice hacking world of Warcraft, use RAW plus engineering, which are pretty nice choices. If you are brave enough, anything can be a C2. Don't be afraid to reach out on Twitter or on GitHub. We are always working on crazy things, mostly on hardware hacking projects, but sometimes we jump to software like we did today. So get in touch. Don't be afraid to approach. We are going to publish this on GitHub. So feel free to clone. The only thing you need to do yourself is to get your API keys, because we are not going to obviously upload hours. So we really hope you enjoyed this and we want to thank all the adversary village team for inviting us today. If you have any questions, we are happy to discuss them at the Discord server. Thank you.