Digital Vengeance: Exploiting Notorious C&C Toolkits presented at saintcon 2017

by Waylon Grange,

Summary : Every year thousands of organizations are compromised by targeted attacks. In many cases, the attacks are labeled as advanced and persistent which suggests a high level of sophistication in the attack and tools used. Many times, this title is leveraged as an excuse that the events were inevitable or irresistible as if the assailants’ skill set is well beyond what defenders are capable of. To the contrary, often these assailants are not as untouchable as many would believe.
If one looks at the many APT reports that have been released over the years some clear patterns start to emerge. A small number of Remote Administration Tools are preferred by actors and reused across multiple campaigns. Frequently cited tools include Gh0st RAT, Plug-X, and XtremeRAT among others. Upon examination, the command and control components of these notorious RATs are riddled with vulnerabilities. Vulnerabilities that can be exploited to turn the tables from hunter to hunted.
Although the material in this talk will provide tools for launching an offensive against attackers this talk is not intended to be instructional for hacking back. The ethics and legality of counter attacks will be touched on only briefly as that is a discussion beyond the scope of this talk.