 Γεια σας, πρώτα από όλοι, αυτό είναι πολλές άνθρωποι, οπότε η Βουσκή was needed. Ευχαριστώ για το μόνο μου, the art of compromising C2 servers, a web application vulnerability perspective, although as we might delay it there, there is a better title for this talk. Πρώτα από όλοι, this talk and this research is dedicated to a close friend and the father figure for me that passed away three years ago. My friend Leonidas, who was one of the very few people together with my wife that enforced me and helped me to switch from becoming a developer to becoming whatever the hell I am right now. So, thanks for that. Είμαι ο κοινότητας της trust and safety startup name Tremont and the independent security researcher. My research interests are mainly APIs for IoT devices and web application security and I had the great idea that in my forties, I should also pursue a PhD on offensive web application security. You can follow me on Twitter or X or whatever the hell it's called right now on Evisticas and this is my personal website where I usually post my latest research. The past year or so I have been working on an AI LLM that will generate some content-aware AI attacks. It will target logic flows in typical developer-cut corners that we see throughout the years and it was used in this talk as you will see it was not that necessary though. So, the question is why go after C2s and why go after malware? Around a year ago, I was doing scrolling on Twitter when I saw Tatyana Siscova's Twitter about Harley, a malware, an Android malware that we're going to see really deeply later in this talk and I was introduced to malware as a service and the wonderful thread in the scene that tries to take them down. The malware market is booming. Malware vendors, as with anything in late capitalism this year, have switched to as a service model so it means that most of them need a monthly subscription which varies from 100 to a couple of thousand per year per month and some old ones still have a one-soft fee. On the malware development market, there is a pyramid. On the very top, there are the developers. There are the people who develop malware and its functionality. They're C2 and they can either be lone wolves or some market, some smaller companies that have switched bad. Vendors are on the middle of the pyramid. They are the ones who take most of the profits and don't advertise their goods on dark market places aggressively and reach out to new customers so that they can purchase their malware and buyers are the final cut. They are the ones who try to install the malware to the victims so that they can make profits of them. The malware market is booming. Right now, it's not ransomware size but it's close to $2.2 billion for its profits. As you are going to see, all the malware have strict restrictions to never run in the commonwealth of independent states. For whoever don't know what it is, this is Russia. Vendors are part of criminal rigs that enjoy immunity and that gets me to the actual title of my talk which is Will I Get Vant Today? A little intro on malware, it can be run on Android, Windows and Mac. It can be delivered via a variety of methods. It tries to achieve persistence through a number of ways. It's usually heavily obfuscated and difficult to reserve, to reverse and it connects to a C2 server for further instructions periodically. This is the part that we are going to take a deeper look into. Some malware lingo that will be used in this talk. First of all, Steeler, an application that will try to steal all information and send it to the command and control server. A dropper is the typical basic program that is used to drop other malware to the victims. A subscriber is an app that subscribes the victims' phone to a number of premium services and if you don't know what the botnet is, you're probably on the wrong conference or looking at the wrong video. The typical malware analysis, what the smart reverser is doing, is highly technical. Usually they do static analysis, they are doing dynamic analysis in sandboxes. They are reversing and jumping through a lot of hoops. The focus on reversing raises the bar by a lot. If you are here for reversing tips, I just have one slide, it's this slide. I don't really understand all of those things. The potential obstacles that the people who reverse and are really smart want to surprise is anti-debugging techniques, obfuscation techniques, runtime function decryption, states downloads and epithora of stuff that I don't really understand and I don't want to understand. So that's why I will introduce you to the Toyota Corolla of Penetration Testing, which is called Web Application Testing. It's neither sexy nor nice, but it will take you from place A to place B and it will probably also get you a couple of million bots in the process. So malware command and control analysis. It's definitely not that technical. I'm going to treat the C2 as a black box web application test. If black box fails, I'm gonna cheat and use some of the communication from the sandbox that was running the malware. If all fails mail, if all else fails, I will run it on my victim devices and just proxy through Burp. And last, I will apply some art to it. And this is all the art that is needed to really own most of the C2s. It's just the typical Deer search. Yeah, I'm old. I'm not using FFUF. I'm not using Deer Buster. And that's the typical Deer search with the typical vocabulary. There are a couple of downfalls for the C2 analysis. The most difficult part is that it is highly opportunistic because they have a really small life, which means that you have only up to a couple of days to attack and find any vulnerabilities. So it needs to be automated and integrated with thread-intent tools to maximize the small window that I have. And you also have to surprise that if you're using VPSs, the bad people will also blacklist your IP addresses, so you have to continue changing VPSs. The thread-intel that I was using is mostly Twitter thread-intel. Unfortunately, this is no longer working due to Mask 1 into Money Pies over everyone. I'm also using Trias, Tracket of Rearback Threadbox Abuse, and a really nice GitHub from my Twitter user called G7worm. I, the finished product, was a Python script in a loop that updated the database of all targets. It scanned all targets for potential issues, or if it knew that there was an issue, it immediately exploited it for a known vulnerability. As I said, it's a really small-time window, and if a new panel appeared, it would send a push notification on my phone. Spoiler alert, don't do that if you're married or put limitations on your push notifications in the evening. The tools that I used, as I said, my trustworthy Deer Search, Burp Suite, Jadex Decompiler, so that I could try to decompile some Android stuff. I'm not that good, as I said, I'm a simpleton. APA, apklab.io, and Tenirun as the sandboxes. Several droplets on this geolotion so that I can avoid blacklisting. So then I also, that I can find more of the panels. And if alerts fails, my cancerous Android phone that at some point was running 10 different malware. Going up to the methodology, it's as simple as it seems. I acquire the C2 URL and run automated tools. If the automated tools doesn't find anything, I run it in a sandbox and review the communication logs. I rerun the automated tools with added knowledge. And if that also doesn't find anything, I fire up Burp and treat it as a penetration test. And last but not least, obviously not profit, but submit a DEFCON talk so that I can talk in front of you. What are the goals of my research? First, get admin access to the panel, which means I want to be the admin in the panel. Get remote command execution on the server, acquire the source code of the panel and potentially the malware. And the main thing, don't end up in the black van. How did it go? Seven panels, I got admin access. I got three remote command execution on servers. I acquired the source code of five different panels and I still haven't ended up in the black van. I added the slide for the not horrible mention. First of all, it's Cloudflare. They never took down anything. They just enable bad people to do bad things and they never respect researchers, at least to my knowledge. Second is Hedzner, which never took down anyone. They took down my VPSs because they thought that I was doing something malicious and all the bulletproof hosting providers for obvious reasons. So enough with the fluffy words. Anything from here on is a zero day or a taken down botnet. So let's go. First, it's the Harley malware as we saw on Tatyana's tweet. It was found by Kaspersky. The first report was on 22nd of September of 2022, which means they have a birthday coming up. They are extensively researched from Tatyana Syscova. I'm also going to introduce you with my matter. On the very left, it's great. So I'm secure. On the very left, it's vant. So I'm not really that secure. For Harley, I think I'm not so okay, but I can live with that. So Harley is a Trojan subscriber to paid services. 200 apps were found on 2022 and 2023. The realistic estimation is that over a thousand apps to this day have been developed and they're affecting 12 million users. They are based on an encrypted SDK in Go and Rust. I'm going to spoil it to you. In a couple of slides, this is not going to be so encrypted. So Harley had an administration interface which was based on Zoo Spring application. I hope we don't have any Java developers in here. If we do, I'm feeling sorry for you. I just checked on JavaScript and saw that there was no actual back-end verification. There was only front-end verification on the login. And once the code was 200, it was adding, it was set item on season storage, the username. So all I had to do was do a season storage dot set item for an admin. And I saw the admin interface, which, first of all, I hope the dog is a default one and not someone's dog. But this means that, I don't know. First of all, I'm the admin, first goal met. But as I said, we have other goals too. I don't know if anyone have worked with actuators, but Deer Search found actuators. If you haven't worked with actuators, you're going to know that they're leaky bastards. I wanted to reduce you to Geolokia. Geolokia is the playground for remote command execution. Unfortunately, the people who were behind this didn't pay for Geolokia, so all the commercial features were not enabled, which meant I had to find another way to remote command execution. I found a way to dump the diagnostics, the virtual machine system properties, which you see a wall of text in here. Let me get it a little bit formatted. You can see that I acquired the secret access key and the access key for AWS and for Alibaba Cloud. Unfortunately, this was not a root access key, but it was an access key that was giving me access to S3 buckets. And as you can see here, this was a legitimate web application company that was doing web applications. You can see the bucket that is really interesting in there. It's called Jenkins, and it has a master key and credentials in there. So I just went to GitHub, found Jenkins credential decryptor, I decrypted all the credentials, and then I used it on that company's server that we're going to meet in a little bit. And yeah, all the repos of the company were dumped. All malicious app code was dumped, all the command and control server code was dumped. It will be served at the end of this talk. I want to talk about the company behind it. It's called Star Pavilion. They are based in China. And their main product is a pain main gateway, which is also providing paid SMS services, like the one that Harley is using. Second is Clipper, not so private messaging. I'm going to say that this is one of the B9, probably the most B9 of the applications in this talk. So I'm safe. They were reviewed by a set. They were reversed by the legend that is Luca Stefanko and Petter Stryczek. They are delivered as a Trojanized WhatsApp and Telegram messenger. And their sole purpose is to switch wallet addresses from the one that the victim is having to the one that the attacker is controlling. Again, research. You can see that it found a lot of files. I don't know if anyone has worked with Laravel. I had the privilege of being a Laravel developer for enough years. So I know a Laravel when I see it. It's Laravel-based. The environment files are juicy files. And they are using these files on every installation. Which means that, as you can see in here, I had the app key. The app key encrypts cookies, which means that I can rebuild the cookie and login as any user. And by any user, I mean again. I'm the admin, but goal one. It also found the readme.md. As you can see, in readme.md, there is an integrate with your tools and the GitLab repository in there. I checked five minutes ago. This user is still online. You can go there and check his repositories. That repository for this C2 is unfortunately now deleted. Everything is public. But I have it. And it's going to be released in a bit. Those are all the people that have interacted with any of the repositories. I dumped all the malware-related repositories. Unfortunately, the Android application was already compiled. It's going to be served on my GitHub. I'm not going to pursue any information for them as we have bigger fees to fry. OK. Let's go on the big guns. This is Amade. If anyone knows what malware is, they know what Amade is. They are typically 15% of all the malware C2s on 2023. They surfaced on October of 2018. It's a typical stealer. They are sold in erosion forums for between $400 and $800. They are usually used as a dropper for other malware. Its source was leaked five years ago and today. And they have known connections to LockBit, TA-505, TA-546, TA-511. And I'm not exaggerating. I have just named four different APTs. So we are well within the Vant region. I hope you understand. What did I find? My trusty research found astrayfiles.zip, which was unfortunately password protected. It was cracked in less than a day by my good friend that is sitting there, Felipa Solferini. So I was able to find the cracking password. And unfortunately, I saw that they have a static login and password. So I started doing the code. I found a lot of SQL injections. And I mean a lot. But unfortunately, as you can see, the login is checking on your configuration. And it's not vulnerable to SQL injections. But then again, you can see that there is really nice function which is called parse underscore credentials. And its file put contents on a user-controlled filename and user-controlled content. Which I had to check. There was some limitations. The filename need to be exactly 12 characters, including the extension. And there was a delimiter that I couldn't have guessed. But I have the source, so I didn't need to guess. I then tried this really nifty postman with the really interesting idea of 12345678.php, exactly 12 characters. And this really nice command, which is echoing word. And then I went to credentials slash one, two, whatever.php. And I saw this nice world. So server, somebody's fact, that's not me. What did I do from there on? I developed a reversal. I found an automated way of extracting everything in less than 30 seconds from the report of all the edelgens to fully owning the website. I added this really sneaky cron job to corrupt the percentage of the files so that the people wouldn't know. Unfortunately, as of late June 2023, this is fixed. We're going to find something afterwards. From December of 2022, more than 1,000 instances were found and exploited. More than 7 million devices were compromised and reported. This is really not that nice graph, but you can see that per month how many instances I got access to and how many victims I got access to. And we are getting to the really huge guns in here. Smokeloader is 20% to 22% of all the C2s that are being run this year. The first record was on 2014. They mainly target Windows. They use it as a generic dropper for other malware. The price for full packets is more or less $1,500. I have no connections to LockBit, DA505, DA406, DA, I don't know, whatever. All the APTs have worked at some point with Smokeloader. So, yeah. I'm not feeling that good. But, dear search to the rescue again, I found a stray zip with credentials. The really sad part is that the admin username is millionaire. And knowing how many bots he has, he probably is a millionaire by exploiting those. Sorry about that. But after using the credentials, again, like, sounds really boring, but that's it. Really a scary picture, if you ask me. This is 25,000 pictures, 25,000 pages of 20 PCs with all the information that you could have. You can see that they have admin access on most of those PCs. This is one of the C2s. You can see the old bot in there. That's half a million. The online is 250,000. And you can send whatever you want and run it whatever you want as an admin. There is also the little bots and the cancel bots deletion in there. I did not press it. I'm going to explain later why. I unfortunately did not manage to get RCE. The source code is available. Minds the credentials, of course, that most of them are still active. All the cert malware will be downloadable from Git. What could I do with the nulls I had in there? I knew the default zip name of the source code. So when I upped my loop to use every minute, I could find new references in thread model. That means that one out of five of the new C2s were vulnerable once I was quick enough. I was able to pawn 60 different instances. Two of them had over half a million bots. A realistic estimation is that over 10 million unique devices were compromised. This is still open. The vulnerability is still a zero day. And you can see a nice graphic of how the victims went from February till now. This is why the next one is why DEFCON hate me. It wasn't supposed to be in here because it was reported on late July, but I convinced DEFCON to accept it. It was revealed. It's named Manipulated Gaiman. It's revealed and heavily reversed and researched via Perception Point, which are those three nice people on Twitter, OX Toxin, and two people that I cannot pronounce, sorry. It targets mostly Mexican victims. It's active for at least two years, and the potential revenue is over $55 million. I don't know. I'm not really scared of them. After Smokeloader, everything seems easy to me. The thing that Perception Point already found was that they have a Zanko API that was open. So we could dump all the info from all the victims. That's how the $55 million were calculated. But I was mostly interested in a spamming interface that was found there, which is called C6. And this is what you see exactly, which means they have no authentication. So I don't know. I didn't really need to have an admin. Everybody's an admin just by browsing there. But we also have other goals. Well, the other goal was rather easy. They have Git already in there. Deerser's found it. I was able to download all the files. This is where it was the core of Bitbucket. Unfortunately, it was not public, but I was able to replicate the Git from the files that were in the Git repository on the server. And I also found out that it was running a really huge Mexican, mostly Mexican, targeted spam list. This is already shared with Troy Hunt on Have I Been Pwned. And as you can see, it's a tad less than 34 million email addresses. Due to time limitations, I was not able to get remote command execution. The source code will be available minus the list, obviously, because I don't want to enable any spammers. Next is Nexus Panel. Their first appearance was in 2022. They act as an Android Stealer. They have a really sophisticated way of bypassing MFA. They target a lot of banking applications. They're mostly active in Turkey. And they're inactive for the past two and a half months. So I say I'm safe, but you never know. Easy. They have an SQL injection on how they submitted the files. So it means I'm the admin. They have a really sophisticated panel. You could see all the info of all the users. The SQL injection could dump the full database. They had clear text passwords. Unfortunately, as I said, while I was researching, they went off. So I wasn't able to get any code or RCE. And unfortunately, there is no panels available. So I have to say that I didn't manage all the goals, unfortunately. And then it's the one that got away, Aurora. I had a really big speech on what Aurora was and what it was supposed to be doing. But the day before yesterday, Titán Stealer, which is basically Aurora 2, got its code dumped. So good for them, I guess. Their first appearance is early 2022. They are a window stealer. They are writing in Golang. They are capable of stealing a lot of crypto wallets. And the panel was written in Golang. They are off, so I'm great. And I'm not afraid of them. The story is that the dear search found a stray image loading advertisements. I followed the lead. I found the base building server handling goal builds a licensee. You could add a user. You could create stealers. You could do whatever you want because they had no authentication at all. The only thing that you needed to find was the actual URL and port that it was running. And then this happened. Aurora and their admins went silent. They deleted everything. So again, I wasn't able to finish what I wanted to. And there comes the ethical slash legal dilemmas. I vastly dislike the word ethical hacker. I'm an ethical person, but that has nothing to do with hacking. I deliberately, in this research, didn't touch any machine that was not owned by criminals. And that's the line that I wasn't happy to go over. So all my research took down only people who were criminals. Criminals will get better. The C2s will get some focus too. I hope some of you here, you can see how easy it is to own command and control servers. It has nothing to do with the really, really difficult part that is reversing applications. The bar will be erased. And I'm expecting all the zero days that are reported today to be fixed in the next week or so. And this could interfere with active police investigation. But all of them were reported six months ago. So I cannot really do anything else. What's the next steps for me? I will continue monitoring for new panels. I will try to find more zero days on all the panels. I will try to collaborate with a lot of researchers to identify and take down criminals. And my main goal is to continue my 40 years of don't get van strike. I was really not expecting for so much traffic in DEF CON. So the GitHub is live. My blog post is going to be live later this week, when I'm hopefully back in Greece and have some time to finish it up. So I will keep you posted. But you can go to github.com.slastics.devcon31 and acquire all the C2 and the malware source code that is available right now. Thank you for attending the talk. I think we have time for questions, if anyone feels like it. None. I have reported to Europol, but they didn't even answer. I also have to say that I reported to the company that was doing hard labor, they didn't answer either. Any other questions? Thanks, guys.