[Dailydave] IMAP C&C channels have some massive advantages for attackers and penetration testers

Curt Wilson curtwilson618 at gmail.com
Sat Oct 11 11:54:57 EDT 2014 

We came across a short-lived SMTP-based C2 and/or exfil point from what
looked like a targeted ransomware campaign not long ago. However in this
case they simply used base64 which of course is the weak link
detection-wise.

On Friday, October 10, 2014, Dave Aitel <dave at immunityinc.com> wrote:

>  [image: INNUENDO IMAP CHANNEL DIAGRAM IS HERE IN HTML EMAILS]
>
> One thing you know about the future of cyber security is that malware is
> being used right now that is far more advanced than what you read about in
> various exciting threat reports titled "NAVY PANDA" or "EXCITED BEAR" or
> "TINY-MINI-FLAME 2.0.1.2.3 rc4 found!". There's been some almost
> embarrassingly good results from people scanning the whole Internet for
> FinFisher and other command and control setups after finding an
> installation or demo copy of it.
>
> But it's not true that malware analysis for "Indicators of Compromise" or
> scanning for C&C  endpoints will work to find the real setups being used by
> even B-grade teams in the future. Likewise, a connection like INNUENDO's
> new IMAP channel is hard to disrupt at the network layer since so much of
> it is encrypted naturally by the transit providers, and of course each
> campaign is going to use a different email provider.
>
> This video shows the gritty and interesting details:
> http://vimeo.com/108496757
>
> Resources:
> http://threatpost.com/rat-malware-communicating-via-yahoo-mail/107590
>
> http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-uses-evernote-as-command-and-control-server/
>
> http://researcher.watson.ibm.com/researcher/files/us-kapil/emailbotnet-dsn08.pdf
>
> -dave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20141011/9bd7d7d8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: innuendo_imap_channel.png
Type: image/png
Size: 91123 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20141011/9bd7d7d8/attachment-0001.png>

More information about the Dailydave mailing list