Reverse Engineering and observing an IoT botnet

Collecting C2 commands

Finally we can reimplement the C2 protocol and start communicating with the C2 server. The C2 server will believe that a valid infected machine sent the initial beacon and will start sending C2 commands to execute.,80,hex,100,30028,hex,30,3074,hex,400,30028,hex,30,3074,hex,400,80,hex,120,30120,hex,30,30028,hex,300,27060,hex,45,3074,std,120,3074,hex,300,3074,hex,300,3074,hex,400,50004,std,10,3074,greip,300,50004,tcpall,10,80,hex,200

The block above shows a chunk of C2 commands, we received over a period of 2 days. As seen above, the hex attack type was issued very often.

Continue reading

This post was originally published on this site