assembly and RE vs expanding into C2 creation / learning
#1
Hi-

I'm not necessarily lost here, I'm just looking for other people's perspectives with this.

So it's probably evident by now that I like working with malware and while I'm new to the scene it's starting to make sense. A couple weeks ago I was on the verge of looking seriously into mobile malware centering on Android dev and JSON, but I have no experience with either of those things. Now to be clear, it's not like I couldn't learn those things, it's just that what I'm focusing on currently is more than enough. What I mean to say is that from that experience I learned that "working with malware" for me specifically means working with C and assembly and reverse engineering. Nothing more (at least for the foreseeable future). There's more than enough for me to learn within that alone. Never mind I'm still just starting to grasp the fundamentals.

Now, without going into too much detail, I feel it's necessary for professional reasons to augment what I know about networking, which is paltry at the moment. To that end, I thought "ok - I'll make my own C2 server from scratch and have it infect one of my machines etc." I had an idea to document everything in terms of the CIA triad, the OSI model, and where applicable, the OWASP top 10. I configured a dedicated router. I dedicated one of my laptops as my server, implementing best practices for hardening a server (separate user, firewall, etc - something I've never done before) I created my own simple TOR hidden service (something I definitely want to explore later) thinking I'd use that as my C2... My point is is that the more I got into this the more work I realized it was. I guess maybe I was in miniature inadvertently trying to do what a ransomware group would do by myself. Maintaining the server, making sure the traffic was encrypted, thinking about some kind of steganographic means of delivery, etc.

Should I continue attempting to build this C2 experiment, or should I just focus on the world of C and assembly? My inclination is the latter. Again, it's not that I'm not capable of doing both, it's just that it's apparently a lot of work. Cybersecurity and working with computers for me is like pressing my eyes into some kind of infinite fractal where it just goes on and on. Yes, I know that no one person can know it all.

Again, any opinions about this would be helpful. And just out of curiosity for those inclined - What's been your experience with learning and applying new skills, especially when trying to get hired for a position? While I do think I'm a resourceful and persistent individual, sometimes I feel like either a complete idiot when working on things and/or that I'm going to be a mummified skeleton at my keyboard before I see tangible results. Am I insane? Do others experience this? Discuss.


Thanks for taking the time to read this,
neftis
Reply
#2
I realize this is quite the late reply to your thread, but i felt i had to mention this. Most successful ransomware operations are generally performed by a crew. A malware operation in and of itself is quite the complex affair.

The biggest and most successful ransomware attacks are performed by nation states. However the goal for a nation state may very well be to cripple their adversary's critical infrastructure while masquerading as a something purely motivated by financial gain such as a Black Hat group.

Working as a team brings extra risk, however those can be reduced by everyone in the group adhering to solid OPSEC protocols and principles. The benefit would obviously be the division of labor. Ideally a small team would have members that develop the ransomware proper, in C, C++, Asm, and what have you, If exploits are to be employed those will have to be developed and integrated as well. Depending on the desired target.

There would be members that perform recon on the potential target beforehand in order to determine the vector best suited for the initial compromise, web developers and network engineers would be assigned to creating the proper C2 mechanisms, reason i mention network engineers is due to the fact there may be multiple servers/VPS the threat actors may intend to use say, in a semi decentralized C2 network, which perhaps would pass on any data going to and coming from the clients active in the field.

DNS Fast Flux might be employed as a measure to protect those C2 assets, which is by no means trivial.

Now familiarizing yourself with these various subjects(Of which i have left out quite a few) is definitely helpful, and generally interesting if you have an interest in the process from top to bottom. As you mentioned though, it's a lot of knowledge to get into all at once.


If you can familiarize yourself with the various skills required to accomplish all these things i would highly recommend it. Especially if you're working with a small group of specialists. As it will allow you to effectively communicate and act as a liaison between everyone else. Doubly so if you occupy a leadership position or role of authority within that organizational structure.



That is not to say you can't do it alone, if you have the knowledge. Just remember that the scale of the campaign will be smaller and the total time invested on your part will be greater. If you would solo it. Ideally however you have a small crew who are all very familiar with all that i described and moreover Malware Ops at scale in general.

For now i'd suggest familiarizing yourself with the fundamentals of each role, at the very list, especially if you already feel comfortable and competent with the MalDev aspect. The more you know, the better of an understanding you will get of the whole process. And from my perspective you seem to be well underway.
Reply
#3
I don't have much insight to give into managing infrastructure for C2s because that isn't where my experience lies. Most of my knowledge exists in the space of malware development and offensive security research. The reality is that the majority of malware development doesn't require in-depth knowledge of assembly, and using C isn't mandatory either.

Usually assembly knowledge is required when you reverse engineer a target to better understand the system, for example, you would reverse engineer the native Windows API to see how you can perform one process injection technique using just Nt* counterpart functions compared to the commonly known APIs like OpenProcess, WriteProcessMemory, CreateThread, etc. This comes in handy when trying to attempt evasion on security products. In my many years of being active in developing offensive tooling, I've yet to find a good reason to manually write assembly in most situations. Not only would it be difficult to maintain, it's not exactly a thing unless you're doing something very very specific like jumping across the WOW layer (not many real reasons to do this either). Using direct syscalls is common but it could be hard to scale. Remember that malware development is the same as any other software development. You ideally want to have code that is easy to maintain and scale.

Not everyone can do both and from what I've seen, most people focus on one or the other. The choice is up to your personal preferences.
Reply
#4
With regards to Asm, i find it's very useful in terms of developing exploits that you may want to ship with your malware. Not only that. Inline Asm, can give a C program capabilities it normally would not have.
Reply
#5
(03-17-2022, 12:14 PM)Vector Wrote: With regards to Asm, i find it's very useful in terms of developing exploits that you may want to ship with your malware. Not only that. Inline Asm, can give a C program capabilities it normally would not have.

I'm curious as to how many Windows exploits you've developed both with and without using assembly, and what you used the assembly for.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  And response, survivors courage, generic movfor online macronodular equinus. ezexutaqir 0 13 4 hours ago
Last Post: ezexutaqir
  Motor heart launched utero evaluation, learning. ospmoel 0 67 05-18-2022, 12:27 PM
Last Post: ospmoel
  RaaS forums and Markets wandenreich 10 7,088 03-23-2022, 02:07 AM
Last Post: Vector
  Point of learning assembly? shmoeke 2 6,422 09-21-2021, 07:11 PM
Last Post: poppopret