I find there are a lot of “famous malware” case studies where there is extensive focus on their unique endpoint actions, but not so many focussing on how they operated on the wire - their specific channel/protocol/communication implementations to maximize network evasion potential. Here I this wanted to start a series that fills this gap.
I’ve only included cases that adhere to the following 3 criteria:
- They have been well studied, described, articulated etc. by competent sources since my intention here is only to curate.
- They employ some interesting/unusual/unique form of network behaviour with the implicit, or explicit, goal of serving network evasion.
- They are not known/established C2 frameworks, but “once-off” malware strains with some historical relevancy. This is because I want to discuss how they behaved and not all the ways they could potentially behave.
Finally, I want to mention that, though I will touch on endpoint actions (lightly) when and where relevant to creating a cohesive narrative, the goal here is not to get sucked down that rabbithole. Beautiful and amazing and interesting as it is, for the reasons already mentioned above, I will do my best to ensure the discussion remains focussed on network behaviour.