Episode Details

Back to Episodes
Course 6 - Network Traffic Analysis for Incident Response | Episode 6: Investigating RATs, Worms, Fileless, and Multi-Stage Malware Variants

Course 6 - Network Traffic Analysis for Incident Response | Episode 6: Investigating RATs, Worms, Fileless, and Multi-Stage Malware Variants

Published 6 months, 1 week ago
Description
In this lesson, you’ll learn about: Advanced Malware Traffic Analysis — how to detect, decode, and investigate RATs, fileless exploits, worms, and multi-stage infections using real network captures. 1. Remote Access Trojans (RATs) WSH RAT
  • Uses plaintext beaconing for C2 → very easy to identify.
  • Key data exfiltrated in HTTP requests:
    • Unique device ID
    • Computer name
    • Username (“admin”)
    • RAT version (often hidden in the User-Agent field)
NJRAT
  • Shows extensive data exfiltration:
    • Windows XP build info
    • CPU type (Intel Core i7)
    • Username (“Laura”)
  • Contains custom data blocks:
    • Likely a proprietary C2 format
    • Example: 4-byte value representing payload length (e.g., 16 bytes)
2. Fileless Malware (Angler Exploit Kit) Detection
  • Traffic contains obfuscated script + random literature quotes
    → used to evade heuristic scanners.
  • Streams show signs of XOR encoding.
Extraction & Deobfuscation Using Network Miner:
  • Extracted files include:
    • A Shockwave Flash file (.swf)
    • Three large application/octet-stream files
  • XOR decoding reveals:
    • Shellcode +
    • Windows executable (DLL)
Purpose
  • Shellcode injects the malicious DLL into a running process (e.g., Internet Explorer).
  • Because nothing is written to disk → bypasses traditional antivirus, making network analysis essential.
3. Network Worm Behavior WannaCry (SMB Worm)
  • Exploits SMB on port 445 using Eternal-family vulnerabilities.
  • Behavior includes:
    • High-volume IP scanning for vulnerable systems
    • SMB exploitation setup (NOP sled → shellcode → payload transfer)
MyDoom (SMTP Mailer Worm)
  • Attempts spreading via SMTP (port 25).
  • Tries to send spoofed “delivery failed” emails with malicious attachments:
    • e.g., mail.zip → actually .exe hidden using spaces + triple dots.
  • In the demonstration, all spreading attempts were blocked, showing modern protections in action.
4. Multi-Stage Malware Infection Tracking Stage 1 — Initial Compromise
  • Suspicious HTTP request containing Base64 ID.
    • Decodes to an email address (e.g., Reginald/Reggie Cage) → privacy red flag.
  • Download of a malicious Microsoft Word file.
Stage 2 — Downloader Activity
  • Traffic to known malware-downloader domains (e.g., Pony botnet infrastructure).
  • Malware sends detailed victim metadata:
    • GUID
    • OS build number
    • IP address
    • Hardware info
Stage 3 — Command & Control
  • Multiple C2 messages observed:
    • Some Base64-encoded
    • Many encrypted → indicating later-stage payloads
  • Strong evidence that:
    • Word file → downloader (Pony) → secondary malware → possible tertiary stage
5. Key Techniques Demonstrated
  • Identifying IOCs in network captures
  • Detecting plaintext, encoded, and encrypted C2 protocols
  • Carving files and reconstructing injected payloads
  • Analyzing worm scanning patterns
  • Tracking infection chains across multiple malicious components


You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us