![hex fiend ubuntu hex fiend ubuntu](https://getprocrack.co/wp-content/uploads/2021/02/unnamed-1.png)
Turning these base64 strings into something meaningful was more involved than simply decoding them. If anyone has a theory as to the purpose of these secondary links, please leave a comment or shoot me an email The botnet herder’s name is Rafael? I took another look at the malware hosted at Ubuntu and removing the plain/: All the Twitter posts that included two redirect URLs appear to have a nonsense link as the second URL.Furthermore, it is clear that whoever controlled the Twitter C&C made these uploads as well, judging by the upd4t3 handle present across services. It can be deduced from these URLs that malware was uploaded to in a short enough time period to warrant consecutive numbers. Automated payload deployment was determined by looking at some of the URLs linked in the Twitter screenshot:
![hex fiend ubuntu hex fiend ubuntu](http://www.flexhex.com/images/screenshots/flexhex_sshot.jpg)
![hex fiend ubuntu hex fiend ubuntu](https://i.stack.imgur.com/qwObU.png)
Some contained what appeared to be multiple links (redirections valid as of Aug 14th, 2009):ĪHR0cDovL2JpdC5seS9MT2ZSTyBodHRwOi8vYml0Lmx5L0ltZ2ĪHR0cDovL2JpdC5seS8xN2w0RmEgaHR0cDovL2JpdC5seS8xNĪHR0cDovL2JpdC5seS9wbVN1YyBodHRwOi8vYml0Lmx5LzE3bĪHR0cDovL2JpdC5seS9HaHVVdSBodHRwOi8vYml0Lmx5L1FqCĪHR0cDovL2JpdC5seS8zUndBTiBodHRwOi8vYml0Lmx5LzJwU0 I transcribed the messages captured in the screenshot and decoded them in order from most recent to least recent. Perhaps the botnet herders are using Robin Wood’s KreiosC2 for nefarious purposes? This is evidence for a fairly unsophisticated botnet herder. Furthermore, all of the posts started with the same 18 characters, indicating to me that these are not encrypted nor obfuscated beyond the simple base64 encoding. I immediately recognized the tweets in the above screenshot as being base64 encoded. Many times when major outlets report on botnet/worms/virii/etc, crucial details are left out either intentionally (to protect the innocent) or accidentally. What caught my eye wasn’t so much the article itself but the screenshot accompanying the article. I was reading some feeds on Friday (Aug 14th) and came across Wired’s article on outsourcing botnet C&C (command & control) to Twitter. There’s a quick discussion on some malware I found hosted at (Jose probably saw it too but didn’t mention it) as well as a possible lead to a very sloppy botnet master.I mirror all the necessary info so the readers can do this themselves.I attempt to offer a more detailed description of my methods/logic as a pseudo-tutorial.Jose and I differed on some of the tools & techniques used.If you’ve read Jose’s post, this post may still be worth the read for several reasons: So while I present some of the same information as Jose, this duplication of information only came to my attention afterwords. I wasn’t aware of Jose Nazario’s post concerning this topic while I was conducting this research I had only been exposed to the Wired Threat Level article prior to researching.