Every year thousands of organizations are compromised by targeted attacks. In many cases the attacks are labeled as advanced and persistent which suggests a high level of sophistication in the attack and tools used. Many times, this title is leveraged as an excuse that the events were inevitable or irresistible, as if the assailants' skill set is well beyond what defenders are capable of. To the contrary, often these assailants are not as untouchable as many would believe.
If one looks at the many APT reports that have been released over the years, some clear patterns start to emerge. A small number of Remote Administration Tools (RATs) are preferred by actors and reused across multiple campaigns. Frequently sited tools include Gh0st RAT, Korplug/Plug-X, and XtremeRAT among others. Upon examination, the command and control components of these notorious RATs are riddled with vulnerabilities. Vulnerabilities that can be exploited to turn the tables from hunter to hunted.
Although the material in this talk will provide tools for launching an offensive against attackers, this talk is not intended to be an instructional for hacking back. The ethics and legality of counter attacks will be touched on only briefly as that is a discussion beyond the scope of this talk.
The presentation will disclose several exploits that could allow remote execution or remote information disclosure on computers running these well-known C&C components. It should serve as a warning to those actors who utilize such toolsets. That is to say, such actors live in glass houses and should stop throwing stones.