Today > 10 Critical | 16 High | 29 Medium | 4 Low vulnerabilities   -   You can now download lists of IOCs here!

Writing a BugSleep C2 server and detecting its traffic with Snort

Oct. 30, 2024, 10:32 p.m.

Description

This analysis focuses on the BugSleep implant, also known as MuddyRot, a remote access tool that provides reverse shell and file I/O capabilities. The article details the process of reverse engineering BugSleep's protocol, creating a functional C2 server, and developing Snort rules for traffic detection. Key aspects include the implant's use of a bespoke C2 protocol over TCP, its encryption methods, and command structure. The researchers successfully implemented various commands such as ping, file operations, and reverse shell in a Python C2 server. The development of Snort rules for detecting BugSleep traffic is also discussed, highlighting challenges in rule creation and the use of flowbits for improved detection accuracy.

Date

Published: Oct. 30, 2024, 3:14 p.m.

Created: Oct. 30, 2024, 3:14 p.m.

Modified: Oct. 30, 2024, 10:32 p.m.

Attack Patterns

MuddyRot

BugSleep

T1043

T1021.002

T1059.003

T1095

T1573

T1016

T1082

T1105

T1071

T1132