We came across a short-lived SMTP-based C2 and/or exfil point from what looked like a targeted ransomware campaign not long ago. However in this case they simply used base64 which of course is the weak link detection-wise.
On Friday, October 10, 2014, Dave Aitel <[email protected]> wrote: > [image: INNUENDO IMAP CHANNEL DIAGRAM IS HERE IN HTML EMAILS] > > One thing you know about the future of cyber security is that malware is > being used right now that is far more advanced than what you read about in > various exciting threat reports titled "NAVY PANDA" or "EXCITED BEAR" or > "TINY-MINI-FLAME 2.0.1.2.3 rc4 found!". There's been some almost > embarrassingly good results from people scanning the whole Internet for > FinFisher and other command and control setups after finding an > installation or demo copy of it. > > But it's not true that malware analysis for "Indicators of Compromise" or > scanning for C&C endpoints will work to find the real setups being used by > even B-grade teams in the future. Likewise, a connection like INNUENDO's > new IMAP channel is hard to disrupt at the network layer since so much of > it is encrypted naturally by the transit providers, and of course each > campaign is going to use a different email provider. > > This video shows the gritty and interesting details: > http://vimeo.com/108496757 > > Resources: > http://threatpost.com/rat-malware-communicating-via-yahoo-mail/107590 > > http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-uses-evernote-as-command-and-control-server/ > > http://researcher.watson.ibm.com/researcher/files/us-kapil/emailbotnet-dsn08.pdf > > -dave > >
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
