Play all

Intro

The plan

How it all started

Why another trojan? - Keylogging? May be too loud - Decrypting? May be not in reasonable time with current TLS Certificates pre-installation? Could facilitate MITM, but what about NAT?

"Client hello" field

PRNG to mark it

Chrome and Firefox To patch browsers' PRNG functions in memory and TLS handshake developers have to analyze Firefox sources Chrome binaries

Silently marked

Why on the fly? Once our telemetry shows new URLs and that time installers were available on the warez web-site

Infection chain

C2 communications HTTP statuses 422-429 (IETF RFC 7231, 6585, 4918) are the async commands from C2

Encryption

Some math inside

To do or to use? Don't reinvent the wheel just realign it.

It you decide to do In config: version, target ID, URL. Almost certainly constructed with builder

Second way pros Knowledge separation

First way pros Speed for the first sample

Description:

Explore advanced malware techniques and innovative command and control methods in this Hack In The Box Security Conference talk. Delve into the analysis of COMPFun malware, examining its evolution from 2014 to 2019. Learn about the malware's ability to compromise TLS-encrypted communications in HTTPS, its use of rare HTTP statuses as commands, and its sophisticated injection methods. Discover how the malware manipulates system PRNG functions to mark and distinguish target traffic, even after NAT routing. Investigate the malware's spreading capabilities through USB devices and its potential for air-gap breaches. Gain insights into the creative and persistent nature of COMPFun developers, and understand the challenges faced by security researchers in analyzing such advanced threats.

HTTP Statuses as C2 Commands and Compromised TLS

Hack In The Box Security Conference

Add to list

#Conference Talks #Hack In The Box Security Conference #Information Security (InfoSec) #Cybersecurity #Malware Analysis #Application Security #Code Injection

0:00 / 0:00