I’m a network engineer and I’m not entirely sure what’s going on. The ip addresses would be visible at some point or it wouldn’t work. I assume they’ve done the simple thing and ran a packet capture but a good chance it’s running through VPN so who knows
I assume the goal is to make it so the c2 server(s) are basically indistinguishable from any other node, perhaps by making much more inter-node traffic than is strictly necessary. Couple this with almost all the participating IP addresses belonging to innocent parties (since it’s malware) and I’m not sure how one would identify the true origin of commands
I’m a network engineer and I’m not entirely sure what’s going on. The ip addresses would be visible at some point or it wouldn’t work. I assume they’ve done the simple thing and ran a packet capture but a good chance it’s running through VPN so who knows
I assume the goal is to make it so the c2 server(s) are basically indistinguishable from any other node, perhaps by making much more inter-node traffic than is strictly necessary. Couple this with almost all the participating IP addresses belonging to innocent parties (since it’s malware) and I’m not sure how one would identify the true origin of commands