#C2Cserver
Explore tagged Tumblr posts
Visit Tumblr Blog
Explore Tumblr blogs with no restrictions, modern design and the best experience.
Last Seen Tumblr Blogs
anatomi-a
BBGRL
19K posts
neolxzr
WELCOME 2.... THE ALIEN ZONE o_O
18K posts
be-b-o-h-o
2K posts
unkown-destiny
Jeg vet ikke...
224 posts
planethope
Unwritten Hope
785 posts
Fun Fact
Post activity is at the highest at 4:00 pm EDT; notes peak at 10:00 pm EDT.
govindhtech · 25 days ago
Text
Analyzing C2C Communications In Financial Malware
Tumblr media
As Ursa, the remote overlay financial malware Mispadu targets banks in Spanish- and Portuguese-speaking countries like Mexico, Colombia, Argentina, Chile, Portugal, Spain, and others. Remote overlay malware is a malicious program that controls a victim's keyboard and mouse while the fraudster observes their live screen.
Control and command When Mispadu reopened, C2C communications encoding was changed.
Preparing C2C communications
Goal of C2C communications
The assault relies on the malware's remote overlay communication with its operator. This connection is used by the fraudster to deliver operational orders to the victim's infected application.
While monitoring the victim's live sessions, the fraudster performs many overlay attacks, such as bank account theft.
C2C connection timing
The scammer does not contact the victim immediately after the victim launches the infected app, despite appearances. Such touch may trigger antivirus software alerts, endangering the fraudster.
In scenario and most other remote overlay scenarios, communication begins when the user hits one of the malware's targets, Spanish- or Portuguese-speaking bank websites.
Initialising C2C communications
The user contacts the C2C server when seeing a virus target list. WIN32 Socket APIs, the most practical way to connect, are used.
Before configuring the socket, the virus enters its IP and destination port.
Receive C2C messages
When the socket is linked and the beacon is sent, the malware awaits C2C server input. Once received, “read” functions handle the message based on its sequence:
These similar algorithms parse C2C communications.
First, “TwYHJk1_wC51Read,” will be discussed:
After receiving a message from the C2C, the virus decodes and compares it to a command string. “|SocketMain|>” is the first compared command in the first “read” function. Other “read” functions provide different comparison instructions.
Note the function at 0x7364A8.
This function must decipher the complete message. The program decodes a string using mathematical processes.
Check out that function's operation.
Encoding C2C messages
Goal
Communication encoding hides fraudulent goals and techniques. This can be done with current or custom communication algorithms. As seen, “GFHHV..” appears encoded because it seems random and meaningless.
Execution
The C2C communications decoding function is simple and decodes C2C server messages. The same encoder is used for C2C server messages.
Decoding will be broken down into these steps:
Convert the first character (“G”GFHHVGCGEFUGAFOFUGCFMFXHVFJ@) to ASCII. The value is 71. Subtract 65 (ASCII “A”) from this number. The result is 6.
Let's revisit 6 later because it repeats value while decoding.
Step 2: ASCII the character (“F” GFHHVGCGEFUGAFOFUGCFMFXHVFJ@). It's worth 70. Remove 65, the ASCII code for “A.” The result is five. Assume X is variable. The two assembly code lines can be represented by this equation:
4X + 4X4 = 25X = 255 = 125
Step 3: Choose the ASCII value for “H”: 72. Subtract “A” from ASCII: outcome 7. Add the previous step's result. 125+7=132. Remove step 1's result and 66 (‘B’) from it. 60 = 132-66-6. “<” in ASCII. First character in decoded string.
Step 4: Repeat Steps 2 and 3 with the next set of characters (“H” & “V” GFHHVG..), attaching the decoded character each time to form the string.
Step 5: String ends with “@” GFHHVGCGEFUGAFOFUGCFMFXHVFJ@. Decoding the encoded text may display the result: |PRINCIPAL|> The malware submitted this string to the C2C server initially.
Something to remember
Encoding and decoding can create the same character from different encoded characters.
AFV and GGC map to P.
A more complicated example follows. The same plaintext may be retrieved by decoding “GFHHVGCGEFUGAFOFUGCFMFXHVFJ” and “AFBHPFVFXFOFTFIFOFVFGFRHPFD.”
If the network is monitored, such encoding and decoding methods make it difficult to understand the malware's behaviour without the decoding algorithm. Because each command has many encoding options, the malware's comparable mode of operation appears unique to the network monitor each time.
C2C instructions
Execution
The sample's next steps are simple after deciphering the instruction. The fraudster can control the victim's mouse, keyboard, and screen, among other things, because each command has a specific operating role.
Main commands
The infection has set up commands for the scammer to perform various tasks on the victim's PC.
A beacon, denoted by “<|PRINCIPAL|>,” is delivered by the virus to the C2C server to indicate network establishment.
Following this first stage, the fraudster has full control over the victim's system and can take any action. Extraction of critical system data is crucial. Using the “<|Info|>” command, basic system information about the victim can be exported. The Windows version, location, browser, and webpage are listed. Malware's example response to this command sent back to the C2C server:
“Info: Chrome, Bank xWin 10At 4:04:12 PM.
This answer says the victim is reading Bank x's homepage on Windows 10 and Chrome at 4:04:12 PM.
This data is stolen for many reasons. Knowing the victim's operating system may make it easier to infiltrate their system with additional malicious tools. Knowing the victim's intended bank site helps the fraudster perform the attack.
Conclusion
Today, remote overlay attacks are one of the most common threats to bank accounts, endangering banks and their clients. These attacks depend on malware-operator communication, which is vital to their strategy. Such assaults require real-time contact. The virus encrypts communication to strengthen its defences and make it harder to reverse. As cybersecurity experts, IBM monitors, examines, and stops these transactions to prevent fraud.
Staying safe
For safety, users should routinely check their apps and uninstall any that seem odd or dangerous.
Unauthorised transactions in cryptocurrency wallets and unexpected login attempts in email accounts should also be checked. Being aware and proactive helps decrease the risks of this evolving assault paradigm.
IBM Trusteer helps you authenticate people, prevent fraud and malware, and build identity trust across the omnichannel consumer experience. Over 500 top firms utilise IBM Trusteer to expand and protect client digital experiences.
For more details visit govindhtech.com
#C2Ccommunications#C2Cserver#C2C#C2Ccommunication#cybersecurity#C2Ccommunicationsencoding#technology#technews#technologynews#news#govindhtech
0 notes