Re: IMAP C&C channels have some massive advantages for attackers and penetration testers

[Curt Wilson <curtwilson618 () gmail com>]

We came across a short-lived SMTP-based C2 and/or exfil point from what
looked like a targeted ransomware campaign not long ago. However in this
case they simply used base64 which of course is the weak link
detection-wise.

On Friday, October 10, 2014, Dave Aitel <dave () immunityinc com> wrote:

>  [image: INNUENDO IMAP CHANNEL DIAGRAM IS HERE IN HTML EMAILS]
>
> One thing you know about the future of cyber security is that malware is
> being used right now that is far more advanced than what you read about in
> various exciting threat reports titled "NAVY PANDA" or "EXCITED BEAR" or
> "TINY-MINI-FLAME 2.0.1.2.3 rc4 found!". There's been some almost
> embarrassingly good results from people scanning the whole Internet for
> FinFisher and other command and control setups after finding an
> installation or demo copy of it.
>
> But it's not true that malware analysis for "Indicators of Compromise" or
> scanning for C&C  endpoints will work to find the real setups being used by
> even B-grade teams in the future. Likewise, a connection like INNUENDO's
> new IMAP channel is hard to disrupt at the network layer since so much of
> it is encrypted naturally by the transit providers, and of course each
> campaign is going to use a different email provider.
>
> This video shows the gritty and interesting details:
> http://vimeo.com/108496757
>
> Resources:
> http://threatpost.com/rat-malware-communicating-via-yahoo-mail/107590
>
> http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-uses-evernote-as-command-and-control-server/
>
> http://researcher.watson.ibm.com/researcher/files/us-kapil/emailbotnet-dsn08.pdf
>
> -dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave