So, there is quite a lot of malware nowadays that use the tor network to communicate with c2 servers.
From what I see is they host their c2 server under a .onion domain and then they hardcode tor “proxies” into the malware which is uses to connect to which will then allow it to send data back to the c2 server.
Now when I asked people about how they get the “proxies” I was told they are not really proxies but that is what they look like
As you can see to me these look like proxies, now I know the tor project themselves every 20minutes has a page that auto updates of the latest tor exit nodes but my question is how are they getting the port number so they can route traffic through them too?
Now I was able to speak to someone once who made malware that used this and they simply said to me “They are free online, anyone can incorporate this into their malware” but he would not tell me where people get them from x_x
It doesn’t look like it in your example but Tor binaries are also included in some malware so that they can funnel all the traffic to Tor but this tends to have a lot of downsides. Resilient Botnet Command and Control with Tor by Dennis Brown (Defcon July 2010) made a pretty good presentation that is still relevant if you are curious for more.
An Update for a Very Active DDos Botnet: Moobot I was mainly referring to a specific piece of malware although since I first read about this piece alot more have come out using the same technique.
They dont have tor binaries they have proxies hardcoded into the malware itself which they use and then when they spread newer version of the malware they update the proxies.
