This work was inspired by my coworker’s (Josh Abraham) work to demonstrate alternative forms of Command and Control. Some of his POCs included demonstrations using Slack and ICMP for C2. While these techniques aren’t revolutionary, the simplicity of the POC and how hard it was to detect confirmed my suspicion that the future of C2 is going to be tunneling traffic via features of well-known applications.
In addition, there was a recent Twitter post from @randomuserid that got me thinking about what other sites besides Slack could be utilized. So, I browsed through the Alexa top sites and started seeing what features could be abused to facilitate C2 traffic. The first few were all linked in @randomuserid’s Google sheet, so I moved onto wikipedia.org. It didn’t take me long to stumble onto the Wikipedia API page.
When determining what API to use, I had two goals: I wanted my traffic to be private (so no public pages) and I wanted to be able to send a not insignificant amount of data. I started with the options API as it seemed that setting options for the current user (perhaps steganography via a user profile picture?) would be a plausible solution. Browsing the list of user options, one immediately stood out:
userjs-arbitraryKeyName. After a bit of experimentation, it proved trivial to set the value of this option. In addition, testing revealed that the maximum size was 65535 characters - more than enough for a useful C2 channel.
As an attacker, I would be hesitant to use this method as my primary C2 channel. A well-positioned defender could potentially notice the spike in traffic to Wikipedia. Instead, I would use this similar to the way that Red Teams utilize C2 over DNS - a backup channel in case the primary method is blocked.
As a defender, I would continue with standard methods for identifying unusual spikes in traffic. Play with the POC and see how much data has to be transferred to cause a spike in traffic to Wikipedia. If you’re doing HTTPS interception, it’s unlikely that standard users are using the Wikipedia API. All that being said, I believe this technique would be incredibly difficult to detect for your average Blue Team. I’m a firm believer in focusing security on the endpoint, and demonstrations like this continue to confirm that belief.
Project link: https://github.com/dweezy-netsec/wikipedia-c2