Full Report
We’ve received a number of queries regarding folkses unable to get the ASPX version of reDuh to work. In truth, the client had a faulty HTTP implementation meaning that HTTP requests were malformed. Apache and Tomcat cope admirably with the malformed requests, IIS does not. So, we’ve built a new client version for reDuh which will play nicely with IIS. Apart from the bugfix, the new version also supports SSL. A direct link to the updated client is here. More information regarding reDuh is here.
Analysis Summary
# Tool/Technique: reDuh (ASPX Client Update)
## Overview
reDuh is a tool, seemingly utilized for penetration testing or command and control communication, often involving a client-server architecture. This update specifically addresses issues with the ASPX client version that failed to function correctly with Microsoft Internet Information Services (IIS) due to faulty HTTP implementation causing malformed requests. The new version resolves this incompatibility and adds SSL support.
## Technical Details
- Type: Tool
- Platform: Windows (Targeting IIS servers, client likely supports Windows/other based on original deployment possibilities)
- Capabilities: Established command and control (C2) communication channel, fixed compatibility issues with IIS servers, added SSL support.
- First Seen: The original tool context is pre-February 2009, with this update released in February 2009.
## MITRE ATT&CK Mapping
Since reDuh is described as a client designed to communicate, the primary mapping focuses on Command and Control:
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol**
- T1071.001 - Web Protocols (Implied, as it uses HTTP/HTTPS communication via ASPX/Web implementation)
## Functionality
### Core Capabilities
- Establishes communication between a client and a server component (implied ASPX or PHP server endpoint).
- Fixes bugs preventing communication with IIS when sending malformed HTTP requests.
### Advanced Features
- Support for SSL encryption in the client communication channel.
## Indicators of Compromise
- File Hashes: Not provided in the context. The file referenced is `reDuhClient-0.3.zip`.
- File Names: `reDuhClient-0.3.zip` (The updated client archive).
- Registry Keys: Not provided in the context.
- Network Indicators: Communication channels utilizing HTTP/HTTPS protocols (Defanged: `http` / `https` traffic).
- Behavioral Indicators: Malformed HTTP requests (prior to update), standard network beaconing/data transfer over web services (post-update).
## Associated Threat Actors
- Not explicitly named in the context, but the tool is associated with security research/penetration testing communities (SensePost).
## Detection Methods
- Signature-based detection: Signatures against the known client binary (`reDuhClient-0.3`).
- Behavioral detection: Monitoring for unusual HTTP traffic patterns or application layer communication directed towards known web shells or C2 endpoints.
- YARA rules: Not provided in the context.
## Mitigation Strategies
- Ensure web servers (especially IIS) are configured to robustly handle or reject unexpected/malformed HTTP requests (though this is a client fix, strong server parsing minimizes unexpected behavior).
- Implement strict egress filtering to limit outbound connections to known legitimate services.
- Use Web Application Firewalls (WAF) to monitor and block suspicious requests targeting ASPX endpoints.
## Related Tools/Techniques
- Other potential reDuh clients (e.g., PHP version mentioned as having issues).
- General web-based C2 implants or web shells.