Advanced Malware Command and Control

Reuters wrote an interesting group of articles on Karma (a rootkit for iOS) and Project Raven (a group of ex-NSA contractors and employees who worked for the UAE). There are a couple of interesting features in this story, not the least of which is that this is the first time we've seen tradecraft migrate from tier-one cyber groups to other countries in this way. And from the looks of things, none of this was, at least initially, illegal. I expect we'll see some repercussions though, at least in the US, and likely in other countries with advanced cyber capabilities as they try to more strongly manage these capabilities.

There was one detail though, a small one, that I personally found very interesting that I thought I'd point out. In "Inside the Villa" section, Reuters goes over the process Raven used for targeting and exploitation. Step two of that process was:

"STEP 2: Using fake identities and Bitcoin, the Infrastructure department anonymously rented servers around the world. Those remote servers allowed Raven to launch attacks from a network of machines that cannot be traced back to the project."

This speaks volumes with respect to how nation-states manage command and control in advanced threat campaigns today.

I've written in the past about flux networks, both single and double flux. The tl;dr was that single-flux networks replace the IP addresses behind domain names and a high rate so that the servers resolved from specific domain names change frequently, helping avoid blacklisting and sink holing. Double-flux networks do the same thing and add DNS servers that also flux in a similar way. Finally, you can couple these networks with domain name generation algorithms (DGAs), and you can flux the domain names, the IPs, and the name servers managing your IPs. When you have that in play, it's virtually impossible to sinkhole your C&C domains.

Everybody does this at some level — nation-states, botnet admins, ransomware authors, everybody. But you usually want your traffic to end up somewhere, right? Not just meandering through a maze of mutating IPs and domain names. So, folks will usually design these kinds of things, today, with a DGA on the client and the name server, groups of compromised systems that act as proxies that you route traffic through (though, if necessary, you can pay for some or all of these), and then endpoints where you host your C&C.

These C&C endpoints, and likely some of the fluxing nodes, are purchased from ISPs that take Bitcoin and don't do a whole lot of checking that you are who you say you are. So, how hard is this to find? Well, not that hard, it turns out.

And what kind of identities would people need to use? Well, in the US, this would usually be associated with some kind of business. It doesn't need to be much of one, an LLC or PC is perfectly fine. So, you need to create some kind of business entity, with an address, in some country. The business may not even need to exist (though some probably do). And they need to be created with fraudulent information too, but even that's not hard today with apps like Burner or Hushed.

Of course, this is just what the UAE was doing, but it's a fair guess that everybody else is doing similar stuff. The number of acquired to compromised systems may shift, but this essential design is likely what all advanced C&C looks like today.