JOIN BREACHFORUMS TELEGRAM
How RAT Malware keeps anonymous or untraceable connection with the server?
by Crimson_Rain - Tuesday March 26, 2024 at 01:41 AM
Breached
Member
Posts: 5
Threads: 1
Joined: Mar 2024
Reputation: 0
#1
Mar 26, 2024, 01:41 AM (This post was last modified: Mar 26, 2024, 01:44 AM by Crimson_Rain.)
Let's say that I wonder on how the RAT malware or spyware (Client) keeps the connection with the server (Attacker) without the possibility of being tracked down, besides encrypting the connection, what other good practices do they use? Use they tor in the malware, how? Use they social networks like Telegram as a type of server? How to avoid being tracked down?. Thanks for the information about the topic. Heart
Reply
VIP User
VIP
Posts: 23
Threads: 0
Joined: Mar 2024
Reputation: 45
#2
Mar 26, 2024, 02:00 AM
exit the connection as a legit way will bypass detection
accessing as user too

all is traceable that's the problem, so you have to look like legit and exit over multi point and legit point

all depend on who you hack, kids or corp, what corp etc
Reply
Breached
Member
Posts: 68
Threads: 13
Joined: Mar 2024
Reputation: 95
#3
Mar 26, 2024, 02:08 AM
(Mar 26, 2024, 01:41 AM)Crimson_Rain Wrote: Let's say that I wonder on how the RAT malware or spyware (Client) keeps the connection with the server (Attacker) without the possibility of being tracked down, besides encrypting the connection, what other good practices do they use? Use they tor in the malware, how? Use they social networks like Telegram as a type of server? How to avoid being tracked down?. Thanks for the information about the topic. Heart

C2 tunnelling. Thank me later
Reply
Threat Doer (not actor)

Posts: 122
Threads: 20
Joined: Jun 2023
Reputation: 965
#4
Apr 12, 2024, 08:07 PM
There are many ways.
A few examples I have seen when disassembling malware is
- Light tor implementation packed into the client (C2 comms over tor)
- Network of proxies
- tunneling traffic through third party services

The last one is a pretty cool one, some developers create implementations of clients for 3rd party services in their malware to connect to the C2
such as a dropbox client, or they abuse an API like facebook/telegram.

Assuming you may know nothing of malware development you may think the connection from implant (RAT) to the attacker is direct/p2p, it is
almost never the case. Implants communicate with a C2 (command and control server) the same way attackers do. It acts as a relay between the
attacker and the implant.

Hope I could help. Heart

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Self-Ban | Retired |http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you wish to be unbanned in the future.
Reply
Colossus

Posts: 35
Threads: 8
Joined: May 2024
Reputation: 160
#5
Jun 16, 2024, 04:39 AM (This post was last modified: Jun 16, 2024, 04:42 AM by Vittlesical.)
Nothing is called 'untraceable' as long as the server is connected to the internet. If you are caught by a skilled DFIR team oh baby youre in a big trouble even if you use VPNs/ProxyChains/proxies/etc. Why? The DFIR team will analyze the network activity and communications as well as examine the malware sample. also theyll conduct a "traceroute" to determine the origins of the connections coming in and going out from the compromised device.
(Jun 16, 2024, 04:39 AM)Vittlesical Wrote: Nothing is called 'untraceable' as long as the server is connected to the internet. If you are caught by a skilled DFIR team oh baby youre in a big trouble even if you use VPNs/ProxyChains/proxies/etc. Why? The DFIR team will analyze the network activity and communications as well as examine the malware sample. also theyll conduct a "traceroute" to determine the origins of the connections coming in and going out from the compromised device.

There's a technique that may hide you called 'Reverse SSH tunneling.' It involves taking public communications and rerouting them to your internal C2 server
(Jun 16, 2024, 04:39 AM)Vittlesical Wrote: Nothing is called 'untraceable' as long as the server is connected to the internet. If you are caught by a skilled DFIR team oh baby youre in a big trouble even if you use VPNs/ProxyChains/proxies/etc. Why? The DFIR team will analyze the network activity and communications as well as examine the malware sample. also theyll conduct a "traceroute" to determine the origins of the connections coming in and going out from the compromised device.
(Jun 16, 2024, 04:39 AM)Vittlesical Wrote: Nothing is called 'untraceable' as long as the server is connected to the internet. If you are caught by a skilled DFIR team oh baby youre in a big trouble even if you use VPNs/ProxyChains/proxies/etc. Why? The DFIR team will analyze the network activity and communications as well as examine the malware sample. also theyll conduct a "traceroute" to determine the origins of the connections coming in and going out from the compromised device.

There's a technique that may hide you called 'Reverse SSH tunneling.' It involves taking public communications and rerouting them to your internal C2 server

this will help to hide your actual c2 server IP also leave no traces behind only the redirectors and they worth nothing tbh

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: See you on the other side.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Malware FUD easy Cvld 1 151 1 minute ago
Last Post: StanMaliced
  [ LIST ] 5 FREE STEALERS WITH PROS/CONS elix 390 15,237 4 minutes ago
Last Post: nesko
  Sektor7 - Malware Development Advanced - Vol.1 Sh4d0w1X 425 43,605 10 hours ago
Last Post: xdlol199485
  [Go] Using the recycle bin for stealthy persistence (Beginner tutorial) CreateThread 17 1,046 Yesterday, 11:13 PM
Last Post: learn1
  [Sektor7] Full Recent Course Spearr 31 832 Yesterday, 11:11 PM
Last Post: learn1

Forum Jump:


 Users browsing this forum: 1 Guest(s)