One of the key tasks for those defending a country’s, institution’s or corporation’s assets is to understand what threats exist. This is often referred to as Cyber Threat Intelligence or CTI. It encompasses understanding what the threat actors (hackers and nations) are doing and which are threats to your organization. In that regard, we have a new tool to identify and track command and control servers, malware and botnets using telltale fingerprinting from Shodan and Censys.
Command and Control Servers: History, Development & Tracking
In the fast-changing world of cybersecurity, Command and Control (C2) servers have been crucial. These servers are central to many cyber attacks and play a big role in the ongoing fight between offensive and defensive sides. To appreciate modern tools like C2 Tracker, let’s look back at the history and development of C2 servers.
Early days
The story of C2 servers starts in the early days of the internet, back in the 1990s. Hackers used Internet Relay Chat (IRC) channels as their first basic command centers. Infected computers would connect to these IRC channels, where attackers could send commands directly. The malware on the compromised systems would then carry out these commands.
The following figure shows the Hoaxcalls bot’s C2 communication with its C2 server over IRC.
The Web Era and the Art of Blending In
As detection methods got better, attackers changed their tactics. In the early 2000s, they started using web-based C2 systems. By using HTTP and HTTPS, attackers could hide their C2 traffic as regular web browsing. Since web traffic was everywhere, this method was a clever way to camouflage their malicious activities.
Using basic web servers to manage their command systems also made things simpler for attackers. This period marked a big step up in the sophistication of C2 methods, paving the way for even more advanced techniques.
Decentralization: The Peer-to-Peer Revolution
In the mid-2000s, C2 systems saw a major change with the rise of peer-to-peer (P2P) networks. This shift addressed the weakness of centralized servers, which were easy targets for law enforcement and defensive security teams.
In P2P C2 systems, infected computers talk to each other to spread commands and steal data. This decentralized setup made it much harder to shut down the network. Examples like the Storm botnet and later versions of the Waledac botnet showed how tough this model was to tackle, pushing cybersecurity experts to find new ways to detect and counter these threats.
Machines infected by Storm botnet:
Hiding in Plain Sight: The Social Media and Cloud Era
In the 2010s, the rise of social media and cloud services brought a new shift in C2 tactics. Cyber attackers quickly started using platforms like Twitter, Google Docs, and GitHub for their C2 operations. This made it much harder to spot malicious activity because commands could be hidden in ordinary tweets or documents. Additionally, using major cloud providers made their operations more reliable and resilient.
The Modern C2 Landscape
Today’s C2 systems use advanced evasion techniques to avoid detection. Domain fronting hides malicious traffic behind legitimate, high-reputation websites. Fast flux networks constantly change the IP addresses linked to C2 domains, making it difficult to block them. Some attackers even use steganography to hide commands in images or other harmless-looking files.
One of the latest trends is blockchain-based C2 systems, which use cryptocurrency networks for covert communication. This approach takes advantage of blockchain’s decentralized and anonymous features, creating new challenges for tracking and identifying these threats.
Blockchain transaction diagrams used by Glupteba botnet:
The Rise of C2 Tracking Tools
With C2 servers being so crucial in cyber attacks, developing effective tracking tools has become really important. By mapping out how different attackers set up their C2 systems, these tools provide insights into their tactics and capabilities. This helps link attacks to specific groups and track changes in methods over time.
Additionally, this data helps with proactive threat hunting, letting security teams search for signs of C2 communication within their networks and find hidden compromises. On a larger scale, C2 tracking tools offer valuable intelligence for law enforcement and cybersecurity researchers, supporting takedown operations and the creation of new defense strategies.
C2 Tracker
C2 Tracker is a free, community-driven IOC feed that uses Shodan and Censys searches to gather IP addresses of known malware, botnets, and C2 infrastructure.
This feed is available on GitHub and is updated weekly. You can view the results
here: https://github.com/montysecurity/C2-Tracker/tree/main/data
The tool tracks an extensive list of threats, including:
- C2 Frameworks: Cobalt Strike, Metasploit, Covenant, Mythic, Brute Ratel C4, and many more.
- Malware: A variety of stealers, RATs, and trojans such as AcidRain Stealer, Quasar RAT, ShadowPad, and DarkComet.
- Hacking Tools: XMRig Monero Cryptominer, GoPhish, Browser Exploitation Framework (BeEF), and others.
- Botnets: Including 7777, BlackNET, Doxerina, and Scarab.
To run it locally:
kali> git clone https://github.com/montysecurity/C2-Tracker.git
kalI> cd C2-Tracker
kali> vim .env
Add your Shodan API key as the environment variable SHODAN_API_KEY, and set up your Censys credentials with CENSYS_API_ID and CENSYS_API_SECRET.
kali> python3 -m pip install -r requirements.txt
kali> python3 tracker.py
In the data directory, you can see the results:
Let’s take a look at some of the IP addresses of GoPhish servers
Shodan shows that the default port 3333 is open.
When opened, we can see the authorization form.
Summary
Cyber Threat Intelligence is crucial to stay ahead of the bad guys. Tools like C2 Tracker are essential to providing you a clear picture of the threat landscape. They help by spotting threats early, aiding in incident response, and supporting overall security efforts. These tools improve our ability to detect, prevent, and handle cyber threats.