Overview
Explore the current state of malicious command and control (CnC) infrastructure across the globe in this Black Hat conference presentation. Delve into the findings from a year-long examination of nearly a million unauthorized CnC communications. Discover how hackers utilize illegal, compromised infrastructure to remotely manage thousands of compromised networks worldwide, enabling them to constantly change attack points and create jurisdictional challenges for network security personnel, law enforcement, and counterintelligence services. Learn about the tools and networks behind this worldwide malware infrastructure and discuss its strategic impact on both cyber and national security. Examine the tactical techniques malicious actors use to hide their communications within traditional web traffic, including identifiable patterns of activity, use of spoofed domain names, and preferred port numbers for leaving victim machines. Analyze the variations in domain name usage, compare free domain names to hacked sites used for CnC purposes, and explore methods attackers employ to conceal their communications from corporate targets. Gain insights into the FireEye Leviathan worldwide malware ecosystem, industry vertical ownership, callback patterns, and geopolitical reflections on cyber incidents related to the Ukraine crisis and Israel-Gaza conflict.
Syllabus
FireEye
Leviathan
Worldwide malware ecosystem
Tactics, techniques, and procedures
Every industry vertical owned
Callbacks: ebb and flow
Knock Knock
Hiding in Plain Site
Hiding in plain "site"
World C2 network map
World C2 network heatmap
Connectivity and malware
The king of malware
Callback destinations from South Korea
Overlap: investigative headache
Israel: traffic analysis
Geopolitical reflection: Ukraine crisis
Geopolitical reflection: Israel-Gaza crisis
Taught by
Black Hat