Completed
Infection chain
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
HTTP Statuses as C2 Commands and Compromised TLS
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 The plan
- 3 How it all started
- 4 Why another trojan? - Keylogging? May be too loud - Decrypting? May be not in reasonable time with current TLS Certificates pre-installation? Could facilitate MITM, but what about NAT?
- 5 "Client hello" field
- 6 PRNG to mark it
- 7 Chrome and Firefox To patch browsers' PRNG functions in memory and TLS handshake developers have to analyze Firefox sources Chrome binaries
- 8 Silently marked
- 9 Why on the fly? Once our telemetry shows new URLs and that time installers were available on the warez web-site
- 10 Infection chain
- 11 C2 communications HTTP statuses 422-429 (IETF RFC 7231, 6585, 4918) are the async commands from C2
- 12 Encryption
- 13 Some math inside
- 14 To do or to use? Don't reinvent the wheel just realign it.
- 15 It you decide to do In config: version, target ID, URL. Almost certainly constructed with builder
- 16 Second way pros Knowledge separation
- 17 First way pros Speed for the first sample