1.5.1 HTTP Command and Control

In this section, you will understand how adversaries use HTTP to communicate with the malicious program. The following is an example of a malware sample (WEBC2-DIV backdoor) used by the APT1 group (https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf). The malicious binary makes use of the InternetOpen(), InternetOpenUrl(), and InternetReadFile() API functions to retrieve a web page from an attacker-controlled C2 server. It expects the web page to contain special HTML tags; the backdoor then decrypts the data within the tags and interprets it as a command. The following steps describe the manner in which the WEB2-DIV backdoor communicates with the C2 to receive commands:

Get Learning Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.