Latrodectus BackConnect

I recently learned that the great folks from The DFIR Report have done a writeup covering the Latrodectus backdoor. Their report is titled From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion.

I found it particularly interesting that the threat actors used Latrodectus to drop a BackConnect RAT to the victim PC. I have verified that this RAT’s Command and Control (C2) traffic is using the exact same BackConnect C2 protocol as what would previously be seen in IcedID and QakBot infections.

This BackConnect RAT supports features such as:

• Reverse VNC (Keyhole)
• Reverse SOCKS
• Reverse shell (cmd.exe or powershell)
• File manager

NetworkMiner

I immediately recognized the BackConnect protocol because I spent many hours reverse engineering that protocol back in 2022. I later spent even more time building a parser for it in 2023. This BackConnect parser was eventually published as part of the NetworkMiner 2.8.1 release.

I was happy to see that NetworkMiner could parse the BackConnect traffic in The DFIR Report’s Latrodectus case (#TB28761).

The only caveat was that I had to use NetworkMiner Professional, because it has a built-in protocol detection feature that detects the BackConnect traffic and applies the correct parser. That feature isn’t included in the free version of NetworkMiner, which is why it doesn’t know what to do with this strange looking TCP traffic to port 443.

Below are some screenshots extracted with NetworkMiner Professional from the BackConnect reverse VNC traffic.

Image: Keyhole reverse VNC session

Image: Attacker fails to inspect ad_users.txt

Image: Attacker launches additional malware with rundll

The reverse VNC activity spanned a period of over two weeks, which is very impressive for this type of intrusion data set. The threat actors used the BackConnect reverse VNC service to access the machine several times during this period, for example to steal credentials and install additional malware.

A histogram of interactive BackConnect events, including reverse shell, VNC and file manager sessions, show that the majority of the work was carried out around 12pm UTC.

Keylog of the Attacker

Not only does the BackConnect network traffic from the intrusion allow us to extract screenshots from the VNC traffic. NetworkMiner also extracts the attacker’s hands-on keyboard activity.

The keylog shows that the attacker accidentally typed “cd //” instead of “cd ..” at one point. Here’s the screenshot that NetworkMiner extracted from the reverse VNC traffic after the attacker had corrected the typo.

This typo might seem a bit odd, but if you compare the US keyboard layout with the Russian Cyrillic one, then you’ll see that the dot key on the Cyrillic keyboard is at the same place as slash on the US keyboard.

Image: Russian Windows keyboard layout from Wikipedia

This reminds me of another BackConnect infection, captured by Brad Duncan, which he named IcedID (BokBot) infection with Keyhole VNC and Cobalt Strike. Here’s a screenshot that NetworkMiner extracted from the PCAP file shared by Brad:

The attacker can be seen typing “фьфящт” into the browser’s address bar in that VNC session. Фьфящт doesn’t mean anything in Russian, but the individual positions on the Russian keyboard corresponds to “amazon” on a standard Latin keyboard layout.

Reverse Shell

NetworkMiner also extracts commands from BackConnect reverse shell sessions.

This screenshot shows that the attacker sent the following command to the reverse shell:

This command launched a Cobalt Strike implant that connected to avtechupdate[.]com. Analysis of the Cobalt Strike C2 traffic is not in the scope for this blog post though, but the original writeup for this lab contains additional details on the Cobalt Strike infection.

The attacker later issued another rundll command to launch another red-team/penetration testing tool, namely Brute Ratel C4.

This Brute Ratel backdoor connected to C2 servers on erbolsan[.]com and a few other domains (see IOC list). The DFIR Report’s writeup contains additional information about that payload as well.

About The DFIR Report

The DFIR Report provide analysis of cyber intrusions, detailing the tactics, techniques, and procedures used by attackers. They share insights into various attacks, from initial access to execution, and offer private threat briefs and reports for organizations.

A lab containing Elastic or Splunk data from this infection can be purchased from The DFIR Report’s store. Look for the lab titled “The Lunar Tangled Malware Web - Public Case #28761”. The DFIR Report also sell access to a threat intelligence service, which contains even more detailed lab data from this and other malware infections.

Netresec is not affiliated with The DFIR Report.

IOC List

The analyzed infection is from 2024, so these indicators are in no way fresh. They are included here for research purposes and to facilitate retro hunting.

BackConnect C2 ip:port

• 185.93.221.12:443
• 193.168.143.196:443

Latrodectus domains

• grasmetral[.]com
• illoskanawer[.]com
• jarkaairbo[.]com
• scupolasta[.]store
• workspacin[.]cloud

Cobalt Strike C2 URI

• hxxps://resources.avtechupdate[.]com/samlss/vm.ico

Brute Ratel C4 domains

• dauled[.]com
• erbolsan[.]com
• kasym500[.]com
• kasymdev[.]com
• samderat200[.]com

Network Forensics Training

Check out our network forensics training if you want to learn more about analyzing malware traffic in PCAP files.

I will teach an online class for incident responders and blue teams on February 23-26. That class allows a maximum of 15 attendees in order to provide a good environment for taking questions. So don’t miss out on this chance to get your hands dirty with some packet analysis together with me!

Posted by Erik Hjelmvik on Wednesday, 10 December 2025 13:00:00 (UTC/GMT)

Tags: #BackConnect​ #IcedID​ #VNC​ #Keyhole​ #NetworkMiner​

NetworkMiner 3.1 Released

This NetworkMiner release brings improved extraction of artifacts like usernames, passwords and hostnames from network traffic. We have also made some updates to the user interface and continued our effort to extract even more details from malware C2 traffic.

More Artifacts Extracted

Usernames and passwords are now extracted from Proxy-Authenticate headers. NetworkMiner’s username extraction support for SMTP AUTH LOGIN requests has also been improved.

Image: Username and password extracted from HTTP Proxy-Authenticate header

NetworkMiner has several methods for passively identifying host names of clients and servers. We’ve added a few additional hostname sources to this release, such as client hostnames from SMTP EHLO requests and TLS SNI fields from RDP traffic.

User Interface Improvements

The most significant user interface update in the 3.1 release is probably the new “Not in” keyword filter mode. I received this feature request when teaching a network forensics class (thanks for the great idea Lukas!). This filter mode is the opposite to the default “Exact Phrase” setting.

Image: Parameters extracted from anything but HTTP traffic in Johannes Weber's Ultimate PCAP

The “Not in” filter mode comes in very handy when the information you’re interested in is drowning in a sea of non-relevant, but easily identifiable, data.

Malware C2 Traffic

NetworkMiner can extract information from various malware Command-and-Control (C2) protocols like Latrodectus/IcedID BackConnect, Meterpreter, njRAT, Redline Stealer, Remcos, RMS and StealC. The free version of NetworkMiner can extract information, such as commands or transferred files, from these malware protocols as long as the C2 server listens on a “standard” port number. But if the C2 server runs on some other port (which often is the case), then NetworkMiner Professional’s Port Independent Protocol Identification (PIPI) feature is required to identify the correct parser for the network traffic.

Implementing malware C2 protocol parsers is sometimes a thankless task because these protocols tend to get replaced at a much higher rate compared to legitimate network protocols. But it is an important task nevertheless.

njRAT

A popular malware for which the C2 protocol hasn’t changed much during the past decade is njRAT. In fact, new njRAT samples are discovered by security researchers pretty much every day despite it being a 13 years old trojan. NetworkMiner’s njRAT support has therefore been improved in this release. NetworkMiner can extract files that are uploaded or downloaded to/from a PC infected with njRAT. This file extraction feature also includes the ability to extract plugins for specific tasks, such as to run a reverse shell, see camera images or steal passwords. njRAT C2 servers transmit these plugins as gzip compressed DLL files to victim computers when needed.

Image: Files extracted from njRAT in PCAP from our network forensics class

NetworkMiner extracts these gz compressed plugin DLL files to disk. A new feature in the 3.1 release is that it then decompresses the gz data and calculates an MD5 hash of the file contents, but without saving the decompressed data to disk. The MD5 hash of the transferred files are instead displayed on the Parameters tab as seen in this screenshot:

Image: MD5 hashes of njRAT plugin DLLs

The following njRAT plugin MD5 hashes can be seen in this screenshot:

• cef141d894400bc2e0096d1ed0c8f95b (aka inf.dll)
• a73edb60b80a2dfa86735d821bea7b19 (aka cam.dll)
• a93349ba5e621cfb7a46dc9f401fd998 (aka plg.dll)
• 11375fb0cee4c06b5cefa2031ee2ed6d (aka pw.dll)
• 19967e886edcd2f22f8d4a58c8ea3773 (aka sc2.dll)

See our video Decoding njRAT traffic with NetworkMiner for a more in-depth demonstration of NetworkMiner’s njRAT parsing features.

Redline Stealer

Another common malware is Redline Stealer. It uses a legitimate protocol called MC-NMF to send instructions and exfiltrate data from victim computers. Basic support for the MC-NMF protocol has therefore been added to NetworkMiner 3.1. MC-NMF is also used by legitimate services like Microsoft’s Service Bus, so as a bonus you can now analyze such traffic with NetworkMiner as well. The MC-NMF protocol has a compression routine called MC-NBFSE, which is utilized by Redline Stealer. NetworkMiner can’t decompress this format, so files are extracted to disk in compressed form.

Image: Files extracted from Redline execution on Joe Sandbox

You can probably spot some interesting details in the extracted data even when viewing the NBFSE compressed contents though.

Image: NBFSE compressed file contents extracted from Redline execution on Joe Sandbox

Bug Fixes

NetworkMiner 3.1 also resolves several minor bugs. One of these bugs could cause NetworkMiner to hang when showing file details in Linux. Another resolved bug prevented some IPv6 payload from being parsed correctly if the Ethernet frame contained trailing padding data. The VoIP call metadata extraction has also been improved in NetworkMiner Professional.

Upgrading to Version 3.1

Users who have purchased NetworkMiner Professional can download version 3.1 from our customer portal, or use the “Check for Updates” feature from NetworkMiner's Help menu. Those who instead prefer to use the free and open source version can grab the latest release of NetworkMiner from the official NetworkMiner page.

Posted by Erik Hjelmvik on Monday, 01 December 2025 08:20:00 (UTC/GMT)

Tags: #NetworkMiner​ #NetworkMiner Professional​ #njRAT​

Comparison of tools that extract files from PCAP

One of the premier features in NetworkMiner is the ability to extract files from captured network traffic in PCAP files. NetworkMiner reassembles the file contents by parsing protocols that are used to transfer files across a network.

But there are other tools that also can extract files from PCAP files, such as Wireshark and Zeek. The file extraction support in these alternative solutions sometimes complement and sometimes overlap with that of NetworkMiner. Either way it is good that there are multiple tools that are designed to perform the same task. This allows us to compare the output from the different implementations, for example if the results from one tool seems strange or is suspected to be incorrect or incomplete.

Tools that can reassemble and extract files from network traffic or PCAP files:

• Chaosreader (hasn't been updated since 2014)
• NetworkMiner
• Suricata
• tcpflow (-e all)
• Wireshark's Export Objects
• Zeek's extract-all-files.zeek

All of these tools can extract files from HTTP and FTP, but when it comes to other protocols the support varies. The following table summarizes which protocols each tool supports:

I’ve been quite forgiving when compiling the table above. Tools are listed as supporting a protocol even if they only work under very specific conditions. I don’t want to name-and-shame any tool, but I strongly recommend that you verify the tools you’re using by comparing what they extract to one or two alternative tools. As an example, some tools only support a few specific commands for the protocol they claim to support. Additionally, some tools only support file extraction in one direction for protocols like HTTP or FTP, even though these protocols are regularly used to download as well as upload files.

Posted by Erik Hjelmvik on Monday, 05 May 2025 16:05:00 (UTC/GMT)

Tags: #Extract​ #PCAP​ #NetworkMiner​ #Suricata​ #tcpflow​ #Wireshark​ #Zeek​ #FTP​ #HTTP​ #IEC-104​ #IMAP​ #LPD​ #LPR​ #njRAT​ #POP3​ #SMB​ #SMB2​ #SMTP​

Decoding njRAT traffic with NetworkMiner

I investigate network traffic from a Triage sandbox execution of njRAT in this video. The analysis is performed using NetworkMiner in Linux (REMnux to be specific).

About njRAT / Bladabindi

njRAT is a Remote Access Trojan (RAT) that can be used to remotely control a hacked computer. It has been around since 2013, but despite being over 10 years old it still remains one of the most popular backdoors used by malicious actors. Anti virus vendors usually refer to njRAT as Bladabindi.

njRAT Artefacts Extracted by NetworkMiner

NetworkMiner has a built-in parser for the njRAT Command-and-Control (C2) protocol. This njRAT parser kicks in whenever there is traffic to a well-known njRAT port, such as TCP 1177 or 5552, plus a few extra ports (like TCP 14817 that was used by the analysed sample). You’ll need NetworkMiner Professional to decode njRAT traffic to other ports, since it comes with a port-independent-protocol-identification (PIPI) feature that automatically detects the protocol regardless which port the server runs on.

As demonstrated in the video, NetworkMiner can extract the following types of artefacts from njRAT network traffic:

• Screenshots of victim computer
• Transferred files
• Commands from C2 server
• Replies from bot
• Stolen credentials/passwords
• Keylog data

Covered njRAT Commands and Plugins

These njRAT commands and plugins are mentioned in the video:

• CAP = Screen Capture
• ret = Get Passwords
• inv = Invoke Plugin
• PLG = Plugin Delivery
• kl = Key Logger
• Ex = Execute Plugin
• Ex proc = Process List
• Ex fm = File Manager

IOC List

• Sample (a.exe): cca1e0b65d759f4c58ce760f94039a0a
• C2 server: 5.tcp.eu.ngrok[.]io:14817
• njRAT inv (dll): 2d65bc3bff4a5d31b59f5bdf6e6311d7
• njRAT PLG (dll): c179e212316f26ce9325a8d80d936666
• njRAT ret (dll): ac43720c43dcf90b2d57d746464ad574
• Splitter: Y262SUCZ4UJJ

Posted by Erik Hjelmvik on Monday, 28 April 2025 06:00:00 (UTC/GMT)

Tags: #njRAT​ #NetworkMiner​ #REMnux​ #Video​ #videotutorial​​

How to Install NetworkMiner in Linux

This guide shows how to install the latest version of NetworkMiner in Linux. To install an older NetworkMiner release, prior to version 3.0, please see our legacy NetworkMiner in Linux guide.

STEP 1: Install Mono and GTK2

Mono is an open source cross-platform implementation of the .NET framework, it is needed to run NetworkMiner non-Windows machines. GTK2 is not required, but it provides a more consistent look to the user interface.

Ubuntu / Debian / Kali Linux / Raspberry Pi OS:

Fedora:

AlmaLinux / RHEL:

Arch Linux:

STEP 2: Install NetworkMiner

STEP 3: Run NetworkMiner

Follow these steps to analyze live network traffic:

• Click File, Receive PCAP over IP [Ctrl+R]
• Click Start Receiving and note the listen TCP port (default is 57012)

Then run this command to sniff network traffic and send a real-time stream of captured packets to NetworkMiner:

Change 57012 in the command above if NetworkMiner is listening on a different TCP port.

This PCAP-over-IP technique can also be used to read a real-time packet stream from a remote device. It is also possible to sniff packets from Mikrotik routers by clicking File, Receive TZSP Stream.

STEP 4 (optional): Create Shortcut Command

NetworkMiner can now be started like this:

Linux Distros with NetworkMiner

NetworkMiner comes pre-packaged on some Linux distributions, such as REMnux, Security Onion Desktop, CSI Linux and BlackArch.

Static Download Link

The https://www.netresec.com/?download=NetworkMiner download link always delivers the latest release of NetworkMiner. If you prefer a static link, that points to a specific version of NetworkMiner, then please use this one:
https://download.netresec.com/networkminer/NetworkMiner_3-1.zip

Posted by Erik Hjelmvik on Thursday, 10 April 2025 07:30:00 (UTC/GMT)

Tags: #NetworkMiner​ #Linux​ #Ubuntu​ #Kali​

NetworkMiner 3.0 Released

I am very proud to announce the release of NetworkMiner 3.0 today!

This version brings several new protocols as well as user interface improvements to NetworkMiner. We have also made significant changes under the hood, such as altering the default location to where NetworkMiner extracts files from network traffic.

Some of the major changes in this new release are:

• New protocols: QUIC, CIP (EtherNet/IP), UMAS and Remcos RAT.
• Improved passive OS fingerprinting.
• Additional filtering capabilities.
• User interface adapted for Linux.

Filtering of Displayed Artefacts

A tooltip text is temporarily displayed when a filter is activated. The tooltip shows the number of visible items after the filter is applied. This tooltip can also be shown at a later point by hovering with the mouse over the filter text or the Apply button.

Right-clicking on an item or artefact in any of NetworkMiner’s tabs brings up a context menu. We’ve now added an “Apply as Filter” option to this context menu, which can be used to let NetworkMiner automatically generate a filter based on the clicked item. This feature saves time for the analyst and reduces risk of misspellings.

We have also added a keyword filter to the Credentials tab and updated the image filename filter to ignore case.

Other User Interface Improvements

The File Details window, which shows metadata and contents of an extracted file, now has a “Show as” menu that can be used to preview the contents of a file as ASCII, Hex, Unicode or UTF-8.

This file details window can now also be accessed directly from the Images tab by right-clicking on a thumbnail of an extracted image.

NetworkMiner 3.0 extracts Maximum Segment Size (MSS) values from TCP handshakes and show them under Host Details for each respective IP address. This value can help with determining if a host is behind a VPN. An MSS value below 1400 indicates that the traffic might have passed through some form of overlay network, such as a tunnel or VPN.

Other indicators that can help identify VPN and tunnelled traffic is IP TTL and latency, which NetworkMiner already extracts.

The screenshot above also shows that the operating system was identified as Windows, both with help of p0f as well as based on the client’s web browser user-agent. The user-agent based OS fingerprinting is a new feature that we added in NetworkMiner 3.0. This is a nice complement to the TCP and DHCP based OS fingerprinting features that NetworkMiner already performs. We’ve configured this feature to also detect operating systems of user-agent strings sent over UPnP/SSDP.

The text on a few of NetworkMiner’s buttons were not visible on some Linux distros, depending on how much button padding the respective window manager and theme added. Button sizes have therefore been increased in this release to reduce the risk of text not being visible when NetworkMiner is run in Linux.

New Protocol: QUIC

NetworkMiner 3.0 parses initial packets from the QUIC protocol (RFC 9000), which is the UDP based protocol used to transport HTTP/3. The QUIC parser allows NetworkMiner to extract TLS handshakes from UDP 443 traffic, from which the server’s hostname can be read if the client uses the SNI extension. The extracted TLS handshakes from QUIC are also used to generate JA3 and JA4 fingerprints for clients.

New Protocol: CIP and EtherNet/IP

We added parsers for the industrial control system protocols CIP and EtherNet/IP. The implementation does not cover all of the CIP and EtherNet/IP specifications, instead we focused on extracting device information, such as product vendor, product name, bulletin name, serial number and hostname. Such device information is crucial when performing passive asset identification of PLC’s and other industrial devices on OT/ICS networks, such as in factories and power plants. The CIP parser also supports extraction of tag data from Rockwell's proprietary version of CIP.

New Protocol: UMAS

A parser for the industrial control system protocol Modbus/TCP was added to NetworkMiner 2.0 back in 2016. In today’s 3.0 release we’ve enhanced the Modbus implementation to also parse out commands from Schneider Electric's proprietary UMAS protocol, which runs on top of Modbus by using the special function code 90 (0x5a). Our implementation unfortunately doesn’t have full coverage of UMAS, since we don’t have a protocol specification for this proprietary protocol. Nevertheless, our implementation recognizes 40 different UMAS commands (aka UMAS function codes) and can extract fields and parameters from at least 6 of them. The parsed UMAS commands can be viewed in NetworkMiner’s Parameters tab.

New Protocol: REMCOS C2

We started adding parsers for proprietary malicious Command-and-Control (C2) protocols, like StealC, njRAT, BackConnect and RMS, to NetworkMiner a couple of years ago. These malware C2 and backdoor protocol parsers enable security researchers to study what actions threat actors perform when accessing victim computers or honeypot systems.

We’re continuing on our endeavour of creating parsers for malicious protocol by adding support for the Remcos RAT C2 protocol to NetworkMiner 3.0.

Naturally, NetworkMiner’s Remcos parser can’t extract the C2 comms if Remcos uses TLS. Another limitation is that the free version of NetworkMiner is only able to parse Remcos traffic when the C2 server is running on a standard port like TCP 2404. The port-independent-protocol-identification feature in the Professional edition of NetworkMiner, however, identifies and parses Remcos traffic regardless of which port the C2 server listens on (the C2 server in the screenshot above was running on TCP port 1961).

Improved Protocol Parsers

We have also improved several of NetworkMiner’s existing protocol parsers. NetworkMiner’s parser for the trojan/backdoor njRAT (Bladabindi) protocol has, for example, been extended to reassemble full desktop screenshots from njRAT’s Remote Desktop feature.

NetworkMiner’s parser for Modbus has also been extended to support additional function codes and the NTLMSSP parser (for SMB/SMB2) is now better at extracting hostnames to NetworkMiner’s Hosts tab.

Bugs Fixes

A bug in NetworkMiner’s timestamp comparison code previously caused items to be sorted incorrectly when the Timestamp column header was clicked. This bug has now been fixed. We have also fixed a bug relating to extraction of parameters sent in JSON encoded HTTP POST requests.

Breaking Changes

Some of the changes introduced in the 3.0 release might require some users to adapt their workflow. One such change is that the default output path for extracted files and captured packets has changed from NetworkMiner’s directory to %LocalAppData%\NetworkMiner\ in Windows and ~/.local/share/NetworkMiner/ in Linux. This means that you no longer need to add write permissions to the NetworkMiner application directory or subdirectories thereof, since NetworkMiner no longer creates or modifies files there.

Another breaking change is that we have removed the Anomalies tab from the user interface. Windows users can still see alerts by starting NetworkMiner with --filelog, while Linux can use --debug to print debug, warning and error messages to stderr. Use --loglevel warning to suppress info and debug messages.

A change that only affects users of NetworkMiner Professional is that the command line tool NetworkMinerCLI now requires a Corporate License. If you currently have a single-user license, then you will still be able to use the command line tool in your 2.x version of NetworkMiner Professional, but not in the new 3.0 release.

NetworkMiner Professional

There are several improvements in the 3.0 release that only affect users of NetworkMiner Professional. One noteworthy update is that the Pro release has become significantly faster, especially for capture files containing many short TCP sessions. NetworkMiner Professional now saves around two milliseconds in parsing time for every TCP session. This might not sound as much, but it actually makes a huge difference when parsing capture files containing thousands of small TCP sessions.

NetworkMiner’s support for the TLS fingerprinting method JA4 has also been extended even further in the 3.0 release. NetworkMiner Professional now leverages FoxIO’s JA4 database to identify operating systems as well as applications based on client TLS handshake packets.

Other improvement of NetworkMiner Professional include:

• Network operator and AS number displayed on Hosts tab.
• File OSINT lookup includes Censys body_hash lookups.
• IP and domain OSINT lookups added to NetworkMiner’s DNS tab.
• PcapNG packet comments displayed in the Parameters tab.

Upgrading to Version 3.0

Users who have purchased NetworkMiner Professional can download version 3.0 from our customer portal, or use the “Check for Updates” feature from NetworkMiner's Help menu. Those who instead prefer to use the free and open source version can grab the latest release of NetworkMiner from the official NetworkMiner page.

Posted by Erik Hjelmvik on Friday, 04 April 2025 10:53:00 (UTC/GMT)

Tags: #NetworkMiner​ #QUIC​ #JA3​ #JA4​ #njRAT​

Remote Sniffing from Mikrotik Routers

One of the new features in NetworkMiner 2.9 is a TZSP streaming server. It is designed to read a real-time stream of sniffed packets from Mikrotik routers. This method for remote sniffing can be used to capture packets regardless if NetworkMiner is running in Windows or Linux.

How to Sniff Packets with TZSP

Open a console or terminal on the Mikrotik router and run “/tool sniffer print” to see the current settings. Then run the following commands to configure the sniffer:

• /tool sniffer
• set streaming-enabled=yes
• set streaming-server=10.1.2.3:37008
• set filter-stream=yes

Replace 10.1.2.3 with the IP address of the computer running NetworkMiner

It is also possible to activate the sniffer from the RouterOS WebFig interface.

• Expand the “Tools” section
• Click “Packet Sniffer”
• Check “Streaming Enabled”
• Enter IP of computer running NetworkMiner in Server
• Enter 37008 as Port
• Check “Filter Stream”
• Click the “Apply” button at the top

The “filter-stream” setting prevents the sniffer from capturing packets that are sent to the streaming-server (i.e. NetworkMiner). This setting must be enabled to avoid a snowball effect, where copies of previously captured packets get sniffed and re-transmitted to the streaming-server.

The next step is to open the TZSP window in NetworkMiner, which you’ll find under “File, Receive TZSP Stream”.

Click “Start” in NetworkMiner’s TZSP window, so that it listens for an incoming TZSP stream on UDP port 57008. Go back to the Mikrotik router, where you start the sniffer with “/tool sniffer start” or by clicking the “Start” button in the WebFig. You should now see the Frames counter increasing in NetworkMiner's TZSP window. You’ll probably also notice that artifacts get added to the main NetworkMiner window in the background as more packets are received.

Close the sniffer by running “/tool sniffer stop” or clicking the “Stop” button in WebFig, then click “Stop” in NetworkMiner. You can now close NetworkMiner’s TZSP window to view the artifacts that NeworkMiner has extracted from the captured traffic.

Posted by Erik Hjelmvik on Thursday, 30 May 2024 13:05:00 (UTC/GMT)

Tags: #TZSP​ #NetworkMiner​ #sniffer​

NetworkMiner 2.9 Released

NetworkMiner 2.9 brings several new and improved features to help analysts make sense of network traffic from malware, criminals and industrial control systems. Highlights from this new version include:

• TZSP support
• StealC extractor
• Improved Modbus parser
• JA4 support
• GTP decapsulation

Malware Traffic Artifact Extraction

NetworkMiner is a popular tool for extracting artifacts from malware traffic. Such artifacts can be downloaded malware modules, exfiltrated documents and sometimes even screenshots of the infected computer.

Parsers for njRAT and BackConnect (à la IcedID, QakBot and Bazar) traffic was previously added to NetworkMiner. In this release NetworkMiner also gets a parser for StealC, which has quickly become one of the most popular information stealers on Russian-speaking underground forums. The new NetworkMiner 2.9 release extracts screenshots and files that SteakC exfiltrates from the infected machine.

The examples shown below were created by loading a pcap file with StealC traffic from Triage sandbox into NetworkMiner 2.9. NetworkMiner was run in Linux to minimize the risk of accidentally infecting the analysis environment.

Image: Reassembled system info and documents exfiltrated by StealC to 185.172.128.151

Image: Reassembled screenshot of victim’s desktop sent to StealC C2 server

NetworkMiner’s VNC and BackConnect VNC parser has also been improved in this release. NetworkMiner’s keylog extraction from VNC now supports lots of keyboard layouts, including Arabic, Cyrillic, Greek, Hebrew, Kana, Korean and Thai. The handling of VNC color profiles has also been improved to convey colors more correctly in screenshots from reassembled VNC and BackConnect VNC traffic. I’d like to thank Brad Duncan and Maxime Thiebaut for their valuable input on this matter!

Another remote management tool that often is misused by hackers and criminals is Remote Manipulator System (RMS) from TektonIT. According to Cyberint’s report Legit remote admin tools turn into threat actors’ tools there are lots of Russian forum posts and even YouTube tutorials showing how to include legitimate RMS components in malware. NetworkMiner now parses RMS’s session setup, which includes information about the client computer as well as the RMS product and version. The screenshot below was created by loading a pcap file from when 3_Рахунок.pdf.exe was executed in JoeSandbox.

Image: Information extracted from RMS traffic

The country_code number (here 223) also gets converted to a human-readable country (Switzerland) by NetworkMiner, but this country name info is only displayed in the Host Details of the client.

ICS / SCADA

NetworkMiner has supported Modbus/TCP since 2016 (when NetworkMiner 2.0 was released). This Modbus parser has now been updated to display Modbus addresses using the Modicon convention, which explicitly specifies the register type while also signalling to the user that the displayed addresses are one-indexed.

The register types are displayed in parenthesis and should be interpreted as follows:

• (0)nnnn = Coil
• (1)nnnn = Discrete input
• (3)nnnn = Input register
• (4)nnnn = Holding register

NetworkMiner now also reads Modbus Device Identification messages and displays the reported device info in Host Details. This feature is very handy if you’re building an asset inventory through passive asset discovery (i.e. passively monitoring traffic to identify devices).

NetworkMiner 2.9 also supports asset identification for ICS networks that use COTP based protocols, such as Siemens S7 protocol or IEC 61850 MMS, by parsing COTP connection request messages. The identified COTP TSAP names are displayed under Host Details.

Image: NetworkMiner showing a WinCC client and a Siemens SIMATIC device

User Interface Improvements

TLS handshake fingerprinting with JA3 was added to NetworkMiner in 2019, but last year John Althouse announced the new JA4+ fingerprint methods. In short JA4+ is a suite of methods designed to fingerprint implementations of a specific set of protocols, including TLS, HTTP and SSH. Most of the fingerprinting methods in the JA4+ suite are patent pending except for the TLS client fingerprinting method JA4, which is an improved version of JA3. NetworkMiner now generates both JA3 and JA4 fingerprints for TLS handshakes. The results from the TLS fingerprinting can be seen in the Parameters tab as well as Host Details. In the example below we’ve loaded TLS traffic to port 8533 on 91.92.251.26 from a Remcos sample on ANY.RUN into NetworkMiner Professional (the free NetworkMiner edition doesn’t parse TLS traffic to non-standard ports).

Image: JA4 hash t13i010400_0f2cb44170f4_5c4c70b73fa0 for Remcos C2 traffic

NetworkMiner has also been improved to extract even more information from HTTP traffic, such as JSON formatted parameters and telemetry data sent to Microsoft by their Device Metadata Retrieval Client (DMRC). We have also improved the DNS extraction, both with regards to DNS TXT labels and Additional Resource Records.

The previous Remcos screenshot displays a latency measurement (0.0935 ms), which is another new feature in this release. This latency value is an estimation of the average timespan from when the host sends a packet until it gets captured by the sniffer. NetworkMiner’s hosts list can be sorted based on the Latency value, whereby local computers and network devices are shown at the top of the list. Another way to achieve similar results is to instead sort the hosts based on “Router Hops Distance”.

NetworkMiner’s user interface has also been improved to make it easier to copy text from the Hosts and Parameters tabs with Ctrl+C or by right-clicking and selecting “Copy …”. The export-to-file function in NetworkMiner Professional now additionally includes data from the Keywords tab.

TZSP Sniffing and Decapsulation

Routers from Mikrotik have a feature called TZSP (short for TaZmen sniffer Protocol), which encapsulates captured traffic into TZSP packets and then transmits them to a streaming server. This feature is similar to PCAP-over-IP and ERSPAN, except TZSP transports the sniffed packets over UDP instead of TCP or GRE.

NetworkMiner now includes a TZSP streaming server, which can receive TZSP encapsulated traffic over a UDP socket. Click “File, Receive TZSP Stream”, select a port (default is 37008) and click “Start” to receive a real-time stream of captured packets from a Mikrotik router. We’ve also added support for TZSP link layer type (DLT_TZSP) pcap files as well as decapsulation of TZSP packets to UDP port 37008. I’d like to thank Jarmo Lahtiranta for proposing this feature!

Speaking of decapsulation – we’ve added a GTP-U parser, which enables NetworkMiner to analyze GPRS traffic from GSM, UMTS, LTE and 5G networks that is transmitted inside a GTP tunnel.

Upgrading to Version 2.9

Users who have purchased NetworkMiner Professional can download version 2.9 from our customer portal, or use the “Check for Updates” feature from NetworkMiner's Help menu. Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the official NetworkMiner page.

Posted by Erik Hjelmvik on Monday, 27 May 2024 09:50:00 (UTC/GMT)

Tags: #NetworkMiner​ #TZSP​ #Modbus​ #JA4​ #BackConnect​ #VNC​ #JSON​