C2, alias command and control server, is the backbone of all remotely executed cyber attacks. The list counts data wipers, ransomware, and trojans, among other countless varieties of malware. The primary job of C2 servers is to help cyber criminals collect essential information exfiltrated from the victim’s system or network and control their malware payloads remotely.
In short, C2 servers are the primary requirement behind cyber attacks executed remotely. But until the arrival of Dark Utilities, C2 servers were primarily designed, hosted, and maintained by threat actor groups. A few ransomware-as-a-service (RaaS) providers initially started sharing their C2 server access with their affiliates. But the arrival of Dark Utilities in early 2022 changed the game by offering C2 servers as a service to transform the threat landscape inside out.
Dark Utilities and the arrival of C2aaS
The Dark Utilities platform offers C2 servers as a service (C2aaS) to execute distributed denial-of-service (DDoS) attacks, command execution, remote access, and initiate crypto mining operations on the victim’s system by its subscribers. For the following reasons, C2aaS is critical to the entire cybersecurity community:
- The sophisticated C2 server as a service targets affiliates with amateur knowledge to easily launch remote attacks across platforms, meaning subscribers can transfer payloads to the Windows, Linux, and Python-supported systems.
- The platform is actively working on expanding its support list for other platforms. Recently, they have extended their support for ARM64 and ARMV71 architectures to launch attacks on several internet-connected devices, including Wi-Fi routers.
- To make the job easier for its end customers, Dark Utilities offers technical support via its Telegram and Discord channels.
- To maintain the authenticity and integrity of the C2aaS service, Dark Utilities follows a method of authentication via Discord before allowing anyone to access its service.
- The platform offers a few ready-to-deploy payloads and is hosted on the Interplanetary File System (IPFS) to evade the enforcement departments and block code moderation. For the uninitiated, IPFS operates like a Tor2Web network via its gateways to ensure users don’t require any client applications to access the content.
- Like ransomware as a service (RaaS) operators, Dark Utilities also offers a dashboard prompting every important attack metric, including server health and platform statistics. Such dashboards are implemented to make the attack cycle easy for the users.
- The C2aaS platform lets users generate new malware payloads by selecting a particular operating system from the dashboard. Once the target operating system is set, the system automatically generates a command string to retrieve and execute the malware payload on victim systems.
- The premium access to the C2aaS service is available at just 9.99 euros, which is dirt cheap compared to hosting a C2 server individually. As expected, almost 3,000 users have already enrolled in the service at press time.
The Threat Landscape: Is Doomsday Coming Soon?
The dirt cheap subscription plan of the Dark Utilities would encourage more amateurs and script kiddies to enroll in the service and execute attacks without having ample knowledge of cyber attacks. For instance, from the RaaS revenue model, anyone can figure out how remote attacks would multifold with the arrival of C2aaS. The RaaS services usually appoint affiliates and offer a cut of the ransom money. However, C2aaS would allow anyone to launch cyberattacks on any system without the necessary knowledge or resources.
Taking instances from the platforms’ offered services, here is how it would encourage the budding threat actors.
- The platform offers detailed documentation to help users in a step-by-step manner understand complicated attack processes such as reconnaissance, vulnerability searching to gain an initial foothold, etc.
- The platform significantly helps amateur developers to build botnets without investing much time and effort.
- Once a user develops a payload and uploads it to a target machine, the service offers a management dashboard to launch DDoS attacks and initiate unauthentic crypto mining operations and remote code execution (RCE).
- It offers four sophisticated DDoS attack support options, including executing attacks through popular gaming titles like Counter-Strike: Global Offensive.
So what’s next?
Modern threat actors know how to accelerate their attack sphere by implementing new technologies in their game, and an as-a-service solution is not an exception. They have been practising the revenue model via the cloud malware services since 2015 with the Quaverse remote access trojan (RAT). Later, ransomware as a service (RaaS) and malware as a service (MaaS) appeared on the market to encourage budding threat actors to get into the game of earning quick and easy blood money. The arrival of RaaS multiplied the ransomware attack surface and significantly increased the ransom money. Both instances offer clear insights into how impactful the newly available C2aaS could be.
However, in our fight against adversaries, we at K7 Computing are also combating and improving our ability to detect and thwart cyberattacks of any sophistication to save enterprises and individuals.