How to quickly find malware panels (C2)?

A C2 (Command and Control) server is a server that infected machines connect to in order to receive instructions from malicious programs (malware). For instance, an attacker can send commands to compromised computers to launch attacks, steal data, or install additional malware.

In this article, we will focus on finding a “C2 panel,” which is the interface or dashboard that allows the attacker to manage the network of infected computers. Through this panel, they can view infected machines, issue commands, monitor activities, or simply manage their infrastructure.

To start locating a malicious C2 panel, we need an entry point. An effective approach is to leverage existing, known indicators, preferably recent, to pivot and discover new ones. Our search will start from the site ViriBack C2 Tracker, a free platform listing numerous C2 panels. The webpage we’ll be referencing can be accessed here.

To pivot around a malicious actor’s infrastructure and, as the term suggests, find “pivots,” it’s helpful to start with at least two indicators associated with the same threat. For this exercise, we selected two IPs linked to HookBot (a mobile malware) and posted on the same day on the site, assuming they belong to the same campaign.

The initial IPs are 154[.]216[.]18[.]31 and 87[.]120[.]117[.]119.

Next, we’ll use Censys.io, a tool that enables discovery, monitoring, and analysis of devices accessible and/or visible from the internet. We will analyze each IP in separate tabs for clarity and navigate to the “Table” section in Censys for both.

Scrolling down the page, we see that Censys has already tagged these two IPs with labels such as “C2” and “Remote-access,” highlighting relevant aspects of these IPs.

We keep these in mind and continue searching for similarities.

Using a simple search (ctrl+f) for the keyword “HookBot” on both addresses quickly reveals a match.

Clicking the favicon (a blue magnifying glass to the right for quick searches) by the vendor field, we conduct the search (services.software.vendor=”HookBot”), yielding 43 results.

We then narrow our scope further by filtering through Censys’ label options located at the top left. We choose to filter by port 80 (services.port=80) and look for login pages, the main focus of our search (labels=login-page).

This reduces our matches to 5 results, a manageable number.

Next, we go to Urlscan — a free online search engine — to verify our findings. Out of our 5 results, 2 are active HookBot C2 panels at the time of search (10/09/2024). The others are or likely were C2 panels but are currently inaccessible.

With two relevant results, we can further our research on Urlscan to identify additional C2 panels. Using one of the new IPs found, we go to the “Indicators” tab (1). From there, we open each hash in a new window and manually inspect the new IPs and/or domains we encounter (2).

Example for one of the hashes:

After some quick searches, we found several additional indicators: IPs and domain names, listed below:

List of Indicators:

IP - Panel C2 - HookBot

13[.]71[.]115[.]243
45[.]59[.]112[.]9
45[.]88[.]88[.]78
52[.]140[.]16[.]178
87[.]120[.]115[.]5
89[.]23[.]115[.]35
91[.]92[.]243[.]5
91[.]92[.]244[.]164
147[.]45[.]44[.]159
154[.]201[.]64[.]67
154[.]216[.]19[.]142
159[.]100[.]30[.]69
170[.]106[.]168[.]85
185[.]196[.]8[.]189

Domain Panel C2 - HookBot

app[.]ethergases[.]org
chronopostx[.]lat
fqwvcwwwsslvpn[.]pythr[.]net
mail[.]speak-easy-school[.]com 
remote[.]pythr[.]net
sitemap[.]ethergases[.]org
uspsgc[.]life 
wwwapi[.]pythr[.]net
wwwbackend[.]pythr[.]net
wwwcloudapp[.]pythr[.]net
wwwconnect[.]pythr[.]net
wwwdev[.]ethergases[.]org
wwwgatewayvpn[.]pythr[.]net
wwwintelligence[.]pythr[.]net
wwwowa[.]pythr[.]net
wwwqtvzudev[.]pythr[.]net
wwwsupersets[.]pythr[.]net
wwwwwwwwwwebmail[.]pythr[.]net
wwwwwofficevpn[.]pythr[.]net 

Search used on censys.io

((services.software.vendor="Hookbot") and services.port=`80`) and labels=`login-page`"Hookbot") and services.port=`80`) and labels=`login-page`

Thank you for reading!

Julien