When “D” and I entered the TOC, “Y” was already there talking with the two guys on the ground. They followed the execs that morning and again they stopped at the cafe. This time they were ready with a control inside the execs’ computers. A few minutes later, one of the principals opened his laptop and connected to the cafe’s WIFI network, and the attackers were on it like flies. The team members were also running a sniffer. The combination of the sniffer and the monitoring software provided us with real-time info on what the attackers were trying to do. We saw that they had run an exploit and gained access to the computer.

Once their backdoor was installed, they connected back to a listener, or C2, computer. A listener is a program that accepts connections from a backdoor. The simple ones are usually a terminal running Netcat, while the more complex ones allow the bad guys to send commands to the backdoor via different channels and protocols. We were ready for this. As soon as the backdoor made its first connection we were able to detect it. We saw that the bad guys immediately began scanning the computers. We had several Word documents and PDFs weaponized and ready to be picked up by them. They had names and content that would be too juicy to not copy them. And they did.

Their backdoor used plain, cleartext HTTP requests to exfil the data. I can only assume they did this because it was the initial breach on a public network, and that they would eventually switch to a stealthier piece of attack code. It worked out well because our sniffer was able to record this and they copied our files. We also sent our own HTML request containing a download link to the attack code we had prepared for them. We saw it getting picked up by the bad guys.

At the TOC, “D”, “Y” and I were ready with the listeners in case our backdoor began transmitting. I called the security officer at our client’s offices and gave him a SITREP – one of many to follow.

The execs finished their coffee and continued on their way to the local office. The security people from our customer called them a few minutes later explaining what happened and that they should not connect those laptops to the corporate network.

Meanwhile, we saw no activity on the listeners we had at the TOC. For the next 2 hours we had nothing. But then a shell opened on one of the listeners. Great!

Now the project had gone from a security assessment, to a digital VIP protection, to a full on offensive digital intelligence gathering. We were asked by our customer to see who these people were and to extract as much intel as we could.

Now we were having fun!

We each took turns with the listener’s shell. The first thing we did was install another backdoor that was different from the first. This was done for redundancy: if the first one gets compromised and blocked, we would still have a way in. If these guys were good, they would eventually notice the first backdoor. It was using UDP and DNS requests to send the data back to us. Although it was slow, it still was fast enough for us to have almost real-time access to the computer. The second backdoor was more complex and provided actual real-time access. It had several levels of crypto and the capability to perform complex automated searches for files, network nodes, etc.

“D” focused on getting as much information as he could about the nature of the group: IP addresses, routing tables, system domains, computer names, etc. Since this information can be obtained by using simple OS commands, it was the first thing we did. Afterwards, “Y” configured the new backdoor to hide our presence a bit more. Then it was my turn. Based on the previously collected data, I was in charge of finding the best way to perform the network recon.

After another SITREP to the customer and a quick conference call with the guys on the ground, we decided to leave everyone in place and continue following the execs – who were now aware that they were being followed. They kept their cool and played along in order to not tip off the attackers.

We set the recon and let the backdoor loose. The crawler module would try to find the requested information and send it back to us.

In the meantime, our first backdoor was killed. I don’t know whether this was because the attackers had found it or because they were blocking UDP. It didn’t matter, we still had a second one that would be very difficult to find and block – well, unless you disconnect the computer from the network. This one had several ways to send the information; using different protocols or by injecting itself into other applications already connected to the internet.

With that set up, we went to work on the data that was initially collected. Meanwhile, the guys on the ground were getting ready for a full on SDR to see if they could detect the attackers following the principals.

Continues on Part 3. Standby.

(Featured Image Courtesy: Ludimaginary.net)