Tracking a Rust-based C2
From downloading the framework to refining search queries, I'll guide you through my process of tracking adversary infrastructure.
Today, we'll briefly look at "link," which supports implants targeting Windows, MacOS, and Linux.
1/10
From downloading the framework to refining search queries, I'll guide you through my process of tracking adversary infrastructure.
Today, we'll briefly look at "link," which supports implants targeting Windows, MacOS, and Linux.
1/10
link became available on GitHub in 2021. Although the framework no longer seems to be actively maintained, it has over 500 stars and is still used today.
Running the link from the command line, we are prompted to set up our server.
Running the link from the command line, we are prompted to set up our server.
We'll leave the specifics of generating implants, running them on a victim VM, and analyzing the traffic for another thread. An example is provided below.
We have a working server up and ready to receive traffic; let's dig in and see what we can find.
We have a working server up and ready to receive traffic; let's dig in and see what we can find.
If you're still reading, we first set up a server when running link from the terminal.
Navigating to the server in a browser, we aren't greeted with a slick interface, but we at least get an "Ok" message.
Let's look at the HTTP response headers in Python.
Navigating to the server in a browser, we aren't greeted with a slick interface, but we at least get an "Ok" message.
Let's look at the HTTP response headers in Python.
Again, only a little information to go off of, but a lack of information can also work in our favor regarding search queries.
There is no header for the Server, Content-Type, etc.
We now have a rough query for an HTTP 200 response with two lowercase headers.
There is no header for the Server, Content-Type, etc.
We now have a rough query for an HTTP 200 response with two lowercase headers.
link comes with a default, expired certificate that could also assist in identifying infrastructure.
Unfortunately, this certificate won't help us much inbuilding queries, but it's worth saving and digging into more.
Unfortunately, this certificate won't help us much inbuilding queries, but it's worth saving and digging into more.
As an attacker can easily change the "Ok" message, we'll leave it out of our query.
Using Shodan, our query will start with the HTTP 200 response, the content length 3, and the date.
Filtering out headers, we see 5 hosts matching our server response.
Using Shodan, our query will start with the HTTP 200 response, the content length 3, and the date.
Filtering out headers, we see 5 hosts matching our server response.
Looking at the raw output, we can see a few variations of the default server response; "Hi! "and "ok ", among others.
Had we only focused on the "OK" message, we likely would have had few, if any, results.
Had we only focused on the "OK" message, we likely would have had few, if any, results.
Additional analysis is needed to confirm these are link servers, but I can say with moderate confidence what we are looking at is part of link's framework.
Next time, I'll cover something a bit more advanced, maybe a Python script to emulate communication with a C2 framework to assist in identifying new hosts.
Shout out to @embee_research for the tips and motivation to start sharing more.
Shout out to @embee_research for the tips and motivation to start sharing more.
Loading suggestions...