Thursday, June 11, 2015

A simple RAT C2 experiment...

This morning I was reading a security article in this tweet...

As a quick test for my own sanity, I logged into one of my banks, located somewhere that I could put some freeform text between two delimiters and plant a temporary dummy RAT payload, just to see if the bank filters out the really obvious stuff (like a plain-text IP address, for instance).  

It turns out this bank doesn't.  

Further, I realised this bank also give me the ability to select from a list of banks, so you can further split things up into command (between the hyphens) and payload (between the "DELIM" text).   

Whilst an encoded command would be more difficult to detect (see above article), you'd think they'd regex out IP addresses or anything beginning with "http"...  This is a bank after all and freeform text is bad design in this security context.

To recap what happened here: I just discovered you can leverage millions of dollars of infrastructure behind state-of-the-art security technology, to plant freeform text that can be used to morph a bank into a C2 server. 

Now just let that sink in for a moment.  Yikes!