Using inside a closed network + proxy

[Dviros]

Hey dude, I'm running the script inside a closed network that gets outside with a proxy (squid) machine. During the initialization, It's seems that the RAT is actually connected to the telegram API with a 443 connection, however, messages do not get inside and outside.

1. Do you have an idea how to monitor the actual traffic?
2. Do you have an idea how to get outside?

Thanks!

[mvrozanti]

Sorry for the long delay. Can you clarify "getting outside"? Maybe post the script?

Monitoring internet traffic in Windows could be done with netstat. Another possibility would be using pyshark.

This is actually a pretty interesting feature but not one that I'm very familiar with. What exactly would be defined by "monitoring"? I ask that because since much of the traffic today is https-encrypted, I'm not sure how to display this kind of information.

Very much valid feature though. Adding to todo list

[Dviros]

Hi, sorry for the delayed comment. By monitoring I want to make sure that communications to the "C&C" Telegram API server is flowing in both ways. We need to think of a way to check ourselves (SSL handshake, connection status, timeouts etc - pyshark may be a good option). Also, is it possible to use "alternate" control servers? Can we control the noise of the RAT? The interval that it will communicate outside (once a minute, for example). Cheers dude

[mvrozanti]

I'm not getting it bro. The bot checks for new messages constantly as of right now. Are you suggesting reducing the interval between each message check?

AFAIK SSL handshake, connection status and timeouts are all handled by the Telegram API.