Reverse Engineering and observing an IoT botnet

Collecting C2 commands

Finally we can reimplement the C2 protocol and start communicating with the C2 server. The C2 server will believe that a valid infected machine sent the initial beacon and will start sending C2 commands to execute.

86.92.237.5,80,hex,100 20.50.217.147,30028,hex,30 73.89.110.85,3074,hex,400 20.50.217.147,30028,hex,30 73.16.216.56,3074,hex,400 192.223.25.100,80,hex,120 51.255.70.104,30120,hex,30 20.50.217.147,30028,hex,300 149.202.223.210,27060,hex,45 86.172.193.255,3074,std,120 73.58.228.123,3074,hex,300 73.16.216.56,3074,hex,300 73.89.110.85,3074,hex,400 188.122.88.176,50004,std,10 73.16.216.56,3074,greip,300 188.122.88.176,50004,tcpall,10 101.112.14.171,80,hex,200

The block above shows a chunk of C2 commands, we received over a period of 2 days. As seen above, the hex attack type was issued very often.

Continue reading

This post was originally published on this site