WEBC2-RAVE (9e36feee-e7d2-400a-960e-5f2bd6ac0c15)
A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware will set itself up as a service and connect out to a hardcoded web page and read a modified base64 string from this webpage. The later versions of this malware supports three commands (earlier ones are just downloaders or reverse shells). The first commands will sleep the malware for N number of hours. The second command will download a binary from the encoded HTML comment and execute it on the infected host. The third will spawn an encoded reverse shell to an attacker specified location and port.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| WebC2-Rave (5350bf3a-26b0-49fb-a0b8-dd68933ea78c) | Malpedia | WEBC2-RAVE (9e36feee-e7d2-400a-960e-5f2bd6ac0c15) | Tool | 1 |