Listen to this Post
Over the past few weeks, I’ve been compromising threat actors’ Telegram-based Command and Control (C2) communications and analyzing the data. I recently hit a goldmine of interesting findings. This particular threat actor, who used Telegram for exfiltration of data from the Nova infostealer, had tested his payload on his production “hacking” box. As a result, I was able to harvest hundreds of screenshots & keylogs from the actor’s box that gave insight into what cybercrime operations look like from an actual threat actor-owned machine. I identified multiple additional malspam campaigns being performed by this actor, the domains he owned, email addresses he used for services like Cloudflare and his VPS, and also all of his plaintext credentials used for his infrastructure.
For a deep-dive analysis into how the Telegram C2 comms were stolen and the actor’s infrastructure and his operations, see the below blog:
https://lnkd.in/epKZzBS5
For an analysis of the malware execution chain associated with the Nova infostealer, see the below blog:
https://lnkd.in/eWhMvXfg
You Should Know:
Here are some practical commands and techniques related to analyzing C2 communications and malware execution chains:
1. Network Traffic Analysis with Tcpdump:
Capture network traffic to analyze C2 communications:
sudo tcpdump -i eth0 -w capture.pcap
Analyze the captured traffic using Wireshark or tshark:
tshark -r capture.pcap -Y "http.request.method == POST"
2. Extracting Malware Artifacts:
Use `strings` to extract readable strings from a binary:
strings malware_sample.exe | grep "http"
Use `Volatility` for memory forensics:
volatility -f memory_dump.raw pslist
3. Analyzing Telegram-Based C2:
Monitor Telegram API traffic using a proxy like Burp Suite or Mitmproxy:
mitmproxy --mode transparent --showhost
4. Decrypting Plaintext Credentials:
Use `John the Ripper` to crack hashed credentials:
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
5. Analyzing Nova Infostealer:
Use `Cuckoo Sandbox` for dynamic malware analysis:
cuckoo submit malware_sample.exe
6. Identifying Malicious Domains:
Use `dig` to query DNS records:
dig +short malicious-domain.com
7. Analyzing Screenshots and Keylogs:
Use `exiftool` to extract metadata from screenshots:
exiftool screenshot.png
8. Monitoring VPS Activity:
Use `netstat` to monitor active connections:
netstat -tuln
What Undercode Say:
Analyzing threat actors’ C2 communications and malware execution chains requires a combination of network forensics, memory analysis, and malware reverse engineering. Tools like Tcpdump, Volatility, and Cuckoo Sandbox are essential for uncovering the tactics, techniques, and procedures (TTPs) used by adversaries. By understanding how threat actors operate, defenders can better secure their environments and mitigate risks. Always ensure you have proper authorization before conducting any analysis on potentially malicious systems.
For further reading, refer to the provided blogs:
References:
Reported By: Ben F – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
