I'm not really into malware, so I was just wondering:
- Isn't this really non-viable in practice? The "few headers" that were shown include an Authorization header, that would presumable rotate every ~24 hours and would have to rotate for all the malware clients as well.
- Are centralized Command and Control Severs still a thing in the malware space? I would have assumed that this function mainly migrated onto one of the popular blockchains with clients using one of thousands of available gateways for reading.
> I would have assumed that this function mainly migrated onto one of the popular blockchains with clients using one of thousands of available gateways for reading.
Why would you want to use blockchains for this? DHT has been used for distributed c&c for ages and is generally a much lighter option.
But no, P2P C&C is still not really typical. In practice, there's mostly not that much need for it. Also, FWIW, for practically all use-cases P2P C&C discovery is a vastly better option.
One could probably use matrix (perhaps might need account creation?) or session or simplex (their accounts are sort of like addresses, easy to make compartively to matrix)
I have built dead simple bots on both session/simplex trying both of them out and session was the more ergonomic one to build on but simplex is more decentralized considering session's more crypto related and wants to ask you for money for node whereas simplex doesn't
Although on the other hand, simplex wants to do client side verification on their official client and their bot creation was really painful to start with so but I do feel like its more decentralized but not sure, Both have consequences but honestly I just really end up shilling signal in the end for most people's usual use cases which is communication but its super great to know that there are alternatives.
Matrix is really cool as well. especially cinny's ui (https://cinny.in)
In most red team contexts, the implants don't talk directly to the actual C2 - the implants talk to listening posts (often behind redirectors/transient reverse proxies) and then the listening posts request commands from the C2 server.
probably not so useful in practise, but still fun and interesting.
Yes, centralised C2 is definitely still a thing in the malware space, for commodity malware it works well enough that there's little real incentive to move to anything more complex.
Regarding your first point, extraction of the headers could be trivially automated. Also, using Hinge's CDN (which I think is CloudFlare and/or AWS) is more viable imo, as you don't need to provide headers to GET the files. If that also applies to user-uploaded videos then I do think there's some meat on this bone. But as the other user who replied to you pointed out, this was mostly for nerdy delight.
Also thanks for bringing up the blockchain C2 use, that's cool and news to me.
speaking of command and control servers, the best one you can get at the moment is to just to use crypto currencies, plenty of available nodes to auto discover or just rely on explorers to query your own wallet, deposit address can encode quite a bit of information since it's a pretty long address and definitely has enough bytes to encode commands
I want to thank you and the other user (hobofan) for pointing out the use of crypto currencies as C2s. I do bioinformatics for a living, not infosec, so that's another fun little rabbit hole for me to go on...
Hey I actually created something like this when I was once curious. Its called nanotimestamps
I found it when I realized that nano had 0 fees and I realized that by using a nano vanity address generator, I can embed data into a series of transactions and then basically embed data into the chain (for free) since there is 0 gas fees
Now I created it as a way of getting timestamps of any data onto the chain but you can embed any information and create c2c's on top of that
There is also a way that I vibe coded once to embed data directly into the vanity address and so you can lose 10^-32 nano or basically negligble which is more efficient as well
If you have any questions, I'd love to answer (also even if I like the tech, I think that crypto's fundamentally really really volatile and I prefer things like index funds being honest)
Cool! I wasn't aware of nano; your point about the gas fees is really compelling, as there's a lot of stuff I've wanted to try building on Ethereum et al that I just haven't done because I can't get over the hurdle of paying transaction costs lol.
> also even if I like the tech, I think that crypto's fundamentally really really volatile and I prefer things like index funds being honest
At the risk of derailing the thread, I agree. However, I think "tokenization" is probably crypto's killer app if the messy problem of legal finality rectifying assets on the blockchain with their real-world counterparts can be solved. I touched upon this in a separate post on my blog.
Oh yeah another point, see my other comment as well but if you need to start with nano, all you need is a faucet which you can get for literally free and that's all you need for you to experiment with my project.
You really don't need to spend any money at all and that's actually how I built it. I recommend you to contact me if you wish to run it locally for experiments purposes as it requires bao and nano-vanity-generator, you can take the look at the code
Also I would like to disclose that the code is AI generated. I have no expertise in this field but I found this idea fascinating and saw nobody doing it so did it. But still, I am just proud of my idea and I get good reception whenever I mention this idea (which is quite a lot, tbh I am proud of it a little) so yeah, I love talking about this project's idea fascinating as well and I have expanded upon this work privately to even build ways of creating ones own tokens on top of nano etc. but creating wallet etc. and more abstractions felt wrong and I just wanted to prove it was possible
To be honest, you creating a c2 server on hinge was similar to this feeling of "proving" as well.
To me, its just that if I can prove something, then I can figure out the practical uses of it later (like discussing it right now) etc.
I guess we both are similar in the "proving" way reading your article which is nice to hear, Let me know if you have any questions as I would love to answer!
So let me know how you like this project, Y'know making this project had to make me build some abstractions which you might be interested to look at as well and could be used for multiple purposes.
Create an issue in my github repo if you want to talk to me if you have any questions as well and I would love to answer there and here as well if you wish! Glad my project could be of interest to ya! If you have any use cases for my project, then let me know as well
I think this is one of those things where if you're married (like me) you only have the most peripheral sense of the popularity of these things and if you're single they potentially occupy way too much of your thoughtspace.
Again, why? Nothing on its wiki article or the first page of Google results suggests it should be a household name.
So unless the default assumption is that everyone on HN is dating (I'm married) I genuinely don't understand why it's weird to not have heard of some random ass dating app
Because it used to be the "best" dating app out there for "serious" people wanting long term relationships. Now all the apps are trash and have predatory monetization.
Even if you're married, you've got to know somebody who isn't. It's like referring to Google as "some random ass search engine website" and wondering why people think you're the weird one.
The Hinge app I know of is from my healthcare provider, and reminds me to do stretches. It also has a pretty great TENS device peripheral. I wouldn't expect young single people to know about that app, because it serves a different demographic.
The purpose of command and control servers is to send and receive data to victims devices.
A secondary goal is to do so while evading detection. This is why many threat actors piggy-back off of legitimate services, it disguises the malware communications and avoids directly exposing the upstream C2 instance.
You don't have to do that? I touched upon it in the first section of the post. All you need is a valid phone number, which you can use throwaway trial SIM cards for.
Maybe you're getting lucky and not tickling their risk-based nonsense, but now that this article has been posted they'll certainly crank that knob up to 11.
You probably don't use Hinge. The verification is not necessary at all. It's merely used to "verify" your identity to other users. It has no bearing on what I cover in the post.
Interesting! Well, I'm definitely not in whatever those regions are. Presumably if a threat actor was motivated enough this would be fairly easily circumvented :]
Edit: e.g. via residential proxy IPs and a bunch of cheap Android phones
They don't let you upload facefusion videos. The video has to come from the front-facing camera on a phone.
There is an extremely profitable company (whose data hoard keeps geting hacked but why should they care?) built around this:
https://www.au10tix.com/
Most apps use device attestation (derived from secure boot) to make sure the video stream is really coming from a front-facing camera on a physical device. If Hinge isn't doing this yet they surely will be in 5, 4, 3, 2...
Front-facing paired with IR depth map would map it an order of magnitude harder, but I don't know what the standards are around that or what the installed base is on Android.
- Isn't this really non-viable in practice? The "few headers" that were shown include an Authorization header, that would presumable rotate every ~24 hours and would have to rotate for all the malware clients as well.
- Are centralized Command and Control Severs still a thing in the malware space? I would have assumed that this function mainly migrated onto one of the popular blockchains with clients using one of thousands of available gateways for reading.
Why would you want to use blockchains for this? DHT has been used for distributed c&c for ages and is generally a much lighter option.
But no, P2P C&C is still not really typical. In practice, there's mostly not that much need for it. Also, FWIW, for practically all use-cases P2P C&C discovery is a vastly better option.
I have built dead simple bots on both session/simplex trying both of them out and session was the more ergonomic one to build on but simplex is more decentralized considering session's more crypto related and wants to ask you for money for node whereas simplex doesn't
Although on the other hand, simplex wants to do client side verification on their official client and their bot creation was really painful to start with so but I do feel like its more decentralized but not sure, Both have consequences but honestly I just really end up shilling signal in the end for most people's usual use cases which is communication but its super great to know that there are alternatives.
Matrix is really cool as well. especially cinny's ui (https://cinny.in)
Yes, centralised C2 is definitely still a thing in the malware space, for commodity malware it works well enough that there's little real incentive to move to anything more complex.
Also thanks for bringing up the blockchain C2 use, that's cool and news to me.
I found it when I realized that nano had 0 fees and I realized that by using a nano vanity address generator, I can embed data into a series of transactions and then basically embed data into the chain (for free) since there is 0 gas fees
Now I created it as a way of getting timestamps of any data onto the chain but you can embed any information and create c2c's on top of that
There is also a way that I vibe coded once to embed data directly into the vanity address and so you can lose 10^-32 nano or basically negligble which is more efficient as well
If you have any questions, I'd love to answer (also even if I like the tech, I think that crypto's fundamentally really really volatile and I prefer things like index funds being honest)
Is this you? https://github.com/Koeng101/nanotimestamps
> also even if I like the tech, I think that crypto's fundamentally really really volatile and I prefer things like index funds being honest
At the risk of derailing the thread, I agree. However, I think "tokenization" is probably crypto's killer app if the messy problem of legal finality rectifying assets on the blockchain with their real-world counterparts can be solved. I touched upon this in a separate post on my blog.
You really don't need to spend any money at all and that's actually how I built it. I recommend you to contact me if you wish to run it locally for experiments purposes as it requires bao and nano-vanity-generator, you can take the look at the code
Also I would like to disclose that the code is AI generated. I have no expertise in this field but I found this idea fascinating and saw nobody doing it so did it. But still, I am just proud of my idea and I get good reception whenever I mention this idea (which is quite a lot, tbh I am proud of it a little) so yeah, I love talking about this project's idea fascinating as well and I have expanded upon this work privately to even build ways of creating ones own tokens on top of nano etc. but creating wallet etc. and more abstractions felt wrong and I just wanted to prove it was possible
To be honest, you creating a c2 server on hinge was similar to this feeling of "proving" as well.
To me, its just that if I can prove something, then I can figure out the practical uses of it later (like discussing it right now) etc.
I guess we both are similar in the "proving" way reading your article which is nice to hear, Let me know if you have any questions as I would love to answer!
No its not, I have the domain nanotimestamps.org but its not really doing much (its called laziness from my side)
https://github.com/SerJaimeLannister/nanotimestamp/blob/main...
Here you go! (the video starts as a gif but there is also a .mp4)
Ended up finding that the best way to upload videos is probably github wiki pages
https://github.com/SerJaimeLannister/nanotimestamp/wiki
So let me know how you like this project, Y'know making this project had to make me build some abstractions which you might be interested to look at as well and could be used for multiple purposes.
Create an issue in my github repo if you want to talk to me if you have any questions as well and I would love to answer there and here as well if you wish! Glad my project could be of interest to ya! If you have any use cases for my project, then let me know as well
have a nice day! Looking forward to talk to ya
If you are interested in L2's, polygon's cheap as well fwiw
https://hinge.co/
So unless the default assumption is that everyone on HN is dating (I'm married) I genuinely don't understand why it's weird to not have heard of some random ass dating app
The author basically found a creative use of Hinge’s infrastructure and proved it could be used to control malware.
A secondary goal is to do so while evading detection. This is why many threat actors piggy-back off of legitimate services, it disguises the malware communications and avoids directly exposing the upstream C2 instance.
So that you can then use that account, which is tied to your biometrics, for lawbreaking?
Wut?
Account creation requires biometric face-scan.
https://redlib.catsarch.com/r/SwipeHelper/search?q=hinge+sel...
Maybe you're getting lucky and not tickling their risk-based nonsense, but now that this article has been posted they'll certainly crank that knob up to 11.
You probably don't use Hinge. The verification is not necessary at all. It's merely used to "verify" your identity to other users. It has no bearing on what I cover in the post.
Edit: e.g. via residential proxy IPs and a bunch of cheap Android phones
There is an extremely profitable company (whose data hoard keeps geting hacked but why should they care?) built around this:
Most apps use device attestation (derived from secure boot) to make sure the video stream is really coming from a front-facing camera on a physical device. If Hinge isn't doing this yet they surely will be in 5, 4, 3, 2...Fundamentally no amount of front facing camera on a physical device or other shenanigan a company might do can really do anything about it?