EPISODE · Nov 14, 2025 · 10 MIN
Course 6 - Network Traffic Analysis for Incident Response | Episode 6: Investigating RATs, Worms, Fileless, and Multi-Stage Malware Variants
from CyberCode Academy · host CyberCode Academy
In this lesson, you’ll learn about: Advanced Malware Traffic Analysis — how to detect, decode, and investigate RATs, fileless exploits, worms, and multi-stage infections using real network captures. 1. Remote Access Trojans (RATs) WSH RATUses plaintext beaconing for C2 → very easy to identify.Key data exfiltrated in HTTP requests:Unique device IDComputer nameUsername (“admin”)RAT version (often hidden in the User-Agent field)NJRATShows extensive data exfiltration:Windows XP build infoCPU type (Intel Core i7)Username (“Laura”)Contains custom data blocks:Likely a proprietary C2 formatExample: 4-byte value representing payload length (e.g., 16 bytes)2. Fileless Malware (Angler Exploit Kit) DetectionTraffic contains obfuscated script + random literature quotes→ used to evade heuristic scanners.Streams show signs of XOR encoding.Extraction & Deobfuscation Using Network Miner:Extracted files include:A Shockwave Flash file (.swf)Three large application/octet-stream filesXOR decoding reveals:Shellcode +Windows executable (DLL)PurposeShellcode injects the malicious DLL into a running process (e.g., Internet Explorer).Because nothing is written to disk → bypasses traditional antivirus, making network analysis essential.3. Network Worm Behavior WannaCry (SMB Worm)Exploits SMB on port 445 using Eternal-family vulnerabilities.Behavior includes:High-volume IP scanning for vulnerable systemsSMB exploitation setup (NOP sled → shellcode → payload transfer)MyDoom (SMTP Mailer Worm)Attempts spreading via SMTP (port 25).Tries to send spoofed “delivery failed” emails with malicious attachments:e.g., mail.zip → actually .exe hidden using spaces + triple dots.In the demonstration, all spreading attempts were blocked, showing modern protections in action.4. Multi-Stage Malware Infection Tracking Stage 1 — Initial CompromiseSuspicious HTTP request containing Base64 ID.Decodes to an email address (e.g., Reginald/Reggie Cage) → privacy red flag.Download of a malicious Microsoft Word file.Stage 2 — Downloader ActivityTraffic to known malware-downloader domains (e.g., Pony botnet infrastructure).Malware sends detailed victim metadata:GUIDOS build numberIP addressHardware infoStage 3 — Command & ControlMultiple C2 messages observed:Some Base64-encodedMany encrypted → indicating later-stage payloadsStrong evidence that:Word file → downloader (Pony) → secondary malware → possible tertiary stage5. Key Techniques DemonstratedIdentifying IOCs in network capturesDetecting plaintext, encoded, and encrypted C2 protocolsCarving files and reconstructing injected payloadsAnalyzing worm scanning patternsTracking infection chains across multiple malicious componentsYou can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy
What this episode covers
In this lesson, you’ll learn about: Advanced Malware Traffic Analysis — how to detect, decode, and investigate RATs, fileless exploits, worms, and multi-stage infections using real network captures. 1. Remote Access Trojans (RATs) WSH RATUses plaintext beaconing for C2 → very easy to identify.Key data exfiltrated in HTTP requests:Unique device IDComputer nameUsername (“admin”)RAT version (often hidden in the User-Agent field)NJRATShows extensive data exfiltration:Windows XP build infoCPU type (Intel Core i7)Username (“Laura”)Contains custom data blocks:Likely a proprietary C2 formatExample: 4-byte value representing payload length (e.g., 16 bytes)2. Fileless Malware (Angler Exploit Kit) DetectionTraffic contains obfuscated script + random literature quotes→ used to evade heuristic scanners.Streams show signs of XOR encoding.Extraction & Deobfuscation Using Network Miner:Extracted files include:A Shockwave Flash file (.swf)Three large application/octet-stream filesXOR decoding reveals:Shellcode +Windows executable (DLL)PurposeShellcode injects the malicious DLL into a running process (e.g., Internet Explorer).Because nothing is written to disk → bypasses traditional antivirus, making network analysis essential.3. Network Worm Behavior WannaCry (SMB Worm)Exploits SMB on port 445 using Eternal-family vulnerabilities.Behavior includes:High-volume IP scanning for vulnerable systemsSMB exploitation setup (NOP sled → shellcode → payload transfer)MyDoom (SMTP Mailer Worm)Attempts spreading via SMTP (port 25).Tries to send spoofed “delivery failed” emails with malicious attachments:e.g., mail.zip → actually .exe hidden using spaces + triple dots.In the demonstration, all spreading attempts were blocked, showing modern protections in action.4. Multi-Stage Malware Infection Tracking Stage 1 — Initial CompromiseSuspicious HTTP request containing Base64 ID.Decodes to an email address (e.g., Reginald/Reggie Cage) → privacy red flag.Download of a malicious Microsoft Word file.Stage 2 — Downloader ActivityTraffic to known malware-downloader domains (e.g., Pony botnet infrastructure).Malware sends detailed victim metadata:GUIDOS build numberIP addressHardware infoStage 3 — Command & ControlMultiple C2 messages observed:Some Base64-encodedMany encrypted → indicating later-stage payloadsStrong evidence that:Word file → downloader (Pony) → secondary malware → possible tertiary stage5. Key Techniques DemonstratedIdentifying IOCs in network capturesDetecting plaintext, encoded, and encrypted C2 protocolsCarving files and reconstructing injected payloadsAnalyzing worm scanning patternsTracking infection chains across multiple malicious componentsYou can listen and download our episodes for free on more than 10 different platforms:<a href="https://linktr.ee/cybercode_academy" target="_blank" rel="noreferrer...
NOW PLAYING
Course 6 - Network Traffic Analysis for Incident Response | Episode 6: Investigating RATs, Worms, Fileless, and Multi-Stage Malware Variants
No transcript for this episode yet
Similar Episodes
Dec 23, 2025 ·11m
Dec 17, 2025 ·10m