[Crimson_Rain]

Let's say that I wonder on how the RAT malware or spyware (Client) keeps the connection with the server (Attacker) without the possibility of being tracked down, besides encrypting the connection, what other good practices do they use? Use they tor in the malware, how? Use they social networks like Telegram as a type of server? How to avoid being tracked down?. Thanks for the information about the topic.

[ISO9002]

exit the connection as a legit way will bypass detection
accessing as user too

all is traceable that's the problem, so you have to look like legit and exit over multi point and legit point

all depend on who you hack, kids or corp, what corp etc

[trampoline]

Let's say that I wonder on how the RAT malware or spyware (Client) keeps the connection with the server (Attacker) without the possibility of being tracked down, besides encrypting the connection, what other good practices do they use? Use they tor in the malware, how? Use they social networks like Telegram as a type of server? How to avoid being tracked down?. Thanks for the information about the topic.

C2 tunnelling. Thank me later

[Sukob]

There are many ways.
A few examples I have seen when disassembling malware is
- Light tor implementation packed into the client (C2 comms over tor)
- Network of proxies
- tunneling traffic through third party services

The last one is a pretty cool one, some developers create implementations of clients for 3rd party services in their malware to connect to the C2
such as a dropbox client, or they abuse an API like facebook/telegram.

Assuming you may know nothing of malware development you may think the connection from implant (RAT) to the attacker is direct/p2p, it is
almost never the case. Implants communicate with a C2 (command and control server) the same way attackers do. It acts as a relay between the
attacker and the implant.

Hope I could help.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Self-Ban | Retired |http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you wish to be unbanned in the future.

[Vittlesical]

Nothing is called 'untraceable' as long as the server is connected to the internet. If you are caught by a skilled DFIR team oh baby youre in a big trouble even if you use VPNs/ProxyChains/proxies/etc. Why? The DFIR team will analyze the network activity and communications as well as examine the malware sample. also theyll conduct a "traceroute" to determine the origins of the connections coming in and going out from the compromised device.

---

Nothing is called 'untraceable' as long as the server is connected to the internet. If you are caught by a skilled DFIR team oh baby youre in a big trouble even if you use VPNs/ProxyChains/proxies/etc. Why? The DFIR team will analyze the network activity and communications as well as examine the malware sample. also theyll conduct a "traceroute" to determine the origins of the connections coming in and going out from the compromised device.

There's a technique that may hide you called 'Reverse SSH tunneling.' It involves taking public communications and rerouting them to your internal C2 server

---

Nothing is called 'untraceable' as long as the server is connected to the internet. If you are caught by a skilled DFIR team oh baby youre in a big trouble even if you use VPNs/ProxyChains/proxies/etc. Why? The DFIR team will analyze the network activity and communications as well as examine the malware sample. also theyll conduct a "traceroute" to determine the origins of the connections coming in and going out from the compromised device.

---

Nothing is called 'untraceable' as long as the server is connected to the internet. If you are caught by a skilled DFIR team oh baby youre in a big trouble even if you use VPNs/ProxyChains/proxies/etc. Why? The DFIR team will analyze the network activity and communications as well as examine the malware sample. also theyll conduct a "traceroute" to determine the origins of the connections coming in and going out from the compromised device.

There's a technique that may hide you called 'Reverse SSH tunneling.' It involves taking public communications and rerouting them to your internal C2 server

this will help to hide your actual c2 server IP also leave no traces behind only the redirectors and they worth nothing tbh

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: See you on the other side.