Industroyer C2 Communication

As part of my day job, I work for Secarma (previously known as Pentest Limited) as a Senior Penetration Tester.

During engagements, the question of malware threats is increasingly raised, in part due to media focus on APT groups such as APT28, and malware campaigns such as WannaCry.

While looking into another malware variant recently uncovered by ESET, Industroyer, I started reviewing the protocol used to communicate with the backdoor component of the malware.

Details of the research have been published under Secarma Labs, which can be found here.

A video demonstrating the malware in action, controlled by “Indushell” (a mock C2 server script) can be found below. Source for Indushell showing the protocol in action can be found on GitHub here.