Tuesday, October 30, 2018

Command and Control traffic in Assembly, Malware Reversing

This article from FireEye

describes 4 different types of C2 traffic you might see in assembly such as

Sockets
socket()
connect()
bind()
listen()
send()
recv()
sendto()
recvfrom()

WinInet
InternetOpen()
InternetConnect()
InternetOpenURL()
HttpOpenRequest()
InternetReadFile()
InternetWriteFile()
URLMon
URLDownloadToFile()
URLDownloadToCacheFile()
URLOpenStream()
URLOpenPullStream()

Controlling Internet Explorer with COM
CoInitialize()
CoCreateInstance()
Navigate()
Navigate2()
get_Document()


So an attacker can choose any one of these groups to do their bidding.
The functions that "Send"  data could be used to exfiltrate data or to ask the Command and Control server for the next instruction.
The functions that "Received" data could be used to download a new payload/more malware, or to get the next instruction from the Command and Control server.

No comments:

Post a Comment