Behinder's traffic has passed through AES encryption to bypass WAF.
This method can decrypt the encrypted traffic and detect IceRat.
In the PHP && ASP versions of iceRat, the encryption method for payload is:
Divide plaintext string into segments, each segment XORed with key
That is, use cipher[i] = payload[i] ^ key as the ciphertext cipher.
According to the associative property of XOR operation, if there is a cipher and payload, the key can be obtained.
By reverse engineering the IceRat client, you can find the malicious Class template of payload. All functions of the IceRat client are implemented by adding parameters to the malicious Class.
IceRat 4.0 has a total of 12 templates. Therefore, all possible payloads have a fixed beginning as follows:
payloads = [
b'<?\\n@error_reporting(0);\\n\\nfunctio',
b'<?\\nfunction main($action, $remot',
b'<?\\n@error_reporting(0);\\nset_time',
b'\\nerror_reporting(0);\\n\\nfunction m',
b'<?\\n@error_reporting(0);\\n\\n\\nfuncti',
b'<?\\nerror_reporting(0);\\nfunction ',
b'@error_reporting(0);\\nfunction ma',
b'<?php\\n\\n$taskResult = array();\\n$p',
b"<?\\nerror_reporting(0);\\nheader('C",
b'@error_reporting(0);\\n\\nfunction g',
b'<?\\n@error_reporting(0);\\n@set_tim'
]
The cipher can be obtained from the HTTP message.
But at this time, it is not yet known that this cipher is the IceRat ciphertext, only knowing that it is a pile of bytes.
We try all possible payload beginnings,
If cipher[0] ^ payload[0] == cipher[1] ^ payload[1]
it can be determined that the bytes did use the same key XOR encryption for cipher[0] and cipher[1]