When “D” and I entered the TOC, “Y” was already there talking with the two guys on the ground. They followed the execs that morning and again they stopped at the cafe. This time they were ready with a control inside the execs’ computers. A few minutes later, one of the principals opened his laptop and connected to the cafe’s WIFI network, and the attackers were on it like flies. The team members were also running a sniffer. The combination of the sniffer and the monitoring software provided us with real-time info on what the attackers were trying to do. We saw that they had run an exploit and gained access to the computer.

Once their backdoor was installed, they connected back to a listener, or C2, computer. A listener is a program that accepts connections from a backdoor. The simple ones are usually a terminal running Netcat, while the more complex ones allow the bad guys to send commands to the backdoor via different channels and protocols. We were ready for this. As soon as the backdoor made its first connection we were able to detect it. We saw that the bad guys immediately began scanning the computers. We had several Word documents and PDFs weaponized and ready to be picked up by them. They had names and content that would be too juicy to not copy them. And they did.

Their backdoor used plain, cleartext HTTP requests to exfil the data. I can only assume they did this because it was the initial breach on a public network, and that they would eventually switch to a stealthier piece of attack code. It worked out well because our sniffer was able to record this and they copied our files. We also sent our own HTML request containing a download link to the attack code we had prepared for them. We saw it getting picked up by the bad guys.

At the TOC, “D”, “Y” and I were ready with the listeners in case our backdoor began transmitting. I called the security officer at our client’s offices and gave him a SITREP – one of many to follow.

The execs finished their coffee and continued on their way to the local office. The security people from our customer called them a few minutes later explaining what happened and that they should not connect those laptops to the corporate network.

Meanwhile, we saw no activity on the listeners we had at the TOC. For the next 2 hours we had nothing. But then a shell opened on one of the listeners. Great!

Now the project had gone from a security assessment, to a digital VIP protection, to a full on offensive digital intelligence gathering. We were asked by our customer to see who these people were and to extract as much intel as we could.

Now we were having fun!