{
  "name": "Writing a BugSleep C2 server and detecting its traffic with Snort",
  "slug": "writing-a-bugsleep-c2-server-and-detecting-its-traffic-with-snort",
  "description": "This analysis focuses on the BugSleep implant, also known as MuddyRot, a remote access tool that provides reverse shell and file I/O capabilities. The article details the process of reverse engineering BugSleep's protocol, creating a functional C2 server, and developing Snort rules for traffic detection. Key aspects include the implant's use of a bespoke C2 protocol over TCP, its encryption methods, and command structure. The researchers successfully implemented various commands such as ping, file operations, and reverse shell in a Python C2 server. The development of Snort rules for detecting BugSleep traffic is also discussed, highlighting challenges in rule creation and the use of flowbits for improved detection accuracy.",
  "published": "2024-10-30T14:14:53+00:00",
  "created_at": "2024-10-30T14:14:53+00:00",
  "modified_at": "2024-10-30T21:32:21+00:00",
  "created_at_opencti": "2024-10-30T14:14:53+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-10-30",
    "bugsleep",
    "c2 protocol",
    "muddyrot",
    "python server",
    "rat",
    "reverse engineering",
    "snort detection"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:8e8dc8d233cb84b8",
        "name": "MuddyRot",
        "slug": "muddyrot"
      },
      {
        "id": "legacy:malware:9500d2b3bb52dd2a",
        "name": "BugSleep",
        "slug": "bugsleep"
      }
    ],
    "attack_patterns": [
      {
        "id": "a69453e8-307d-4331-976b-b3a151424f26",
        "name": "T1043"
      },
      {
        "id": "5d2af906-6187-4702-ab9f-590fbe5b1ca3",
        "name": "T1021.002"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "88fa397b-4cc9-42c0-b52d-4108f9630529",
        "name": "T1095"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      }
    ]
  },
  "external_refs": [
    "https://blog.talosintelligence.com/writing-a-bugsleep-c2-server/",
    "https://otx.alienvault.com/pulse/67224d6dbd424a67541873dc"
  ]
}