Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Custom Command and Control Protocol

Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing Application Layer Protocol. Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack.

ID: T1094
Tactic(s): Command and Control
Platforms: Linux, macOS, Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 20 Mar 2020

Procedure Examples

Name Description
Mis-Type

Mis-Type network traffic can communicate over a raw socket.(Citation: Cylance Dust Storm)

PLAINTEE

PLAINTEE uses a custom UDP protocol to communicate.(Citation: Rancor Unit42 June 2018)

OilRig

OilRig has used custom DNS Tunneling protocols for C2.(Citation: Unit 42 Playbook Dec 2017)

WINDSHIELD

WINDSHIELD C2 traffic can communicate via TCP raw sockets.(Citation: FireEye APT32 May 2017)

Emotet

Emotet has been observed using an encrypted, modified protobuf-based protocol for command and control messaging.(Citation: Sophos Emotet Apr 2019)(Citation: DanielManea Emotet May 2017)

Misdat

Misdat network traffic communicates over a raw socket.(Citation: Cylance Dust Storm)

PHOREAL

PHOREAL communicates via ICMP for C2.(Citation: FireEye APT32 May 2017)

Ursnif

Ursnif has used a custom packet format over TCP and UDP for a peer-to-peer (P2P) network for C2.(Citation: ProofPoint Ursnif Aug 2016)

MoonWind

MoonWind completes network communication via raw sockets.(Citation: Palo Alto MoonWind March 2017)

Crimson

Crimson uses a custom TCP protocol for C2.(Citation: Proofpoint Operation Transparent Tribe March 2016)

Volgmer

Volgmer uses a custom binary protocol to beacon back to its C2 server. It has also used XOR for encrypting communications.(Citation: US-CERT Volgmer Nov 2017)(Citation: US-CERT Volgmer 2 Nov 2017)

APT37

APT37 credential stealer ZUMKONG emails credentials from the victim using HTTP POST requests.(Citation: FireEye APT37 Feb 2018)

PLATINUM

PLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.(Citation: Microsoft PLATINUM June 2017)

RedLeaves

RedLeaves can communicate to its C2 over TCP using a custom binary protocol.(Citation: FireEye APT10 April 2017)

APT32

APT32 uses Cobalt Strike's malleable C2 functionality to blend in with network traffic.(Citation: FireEye APT32 May 2017)(Citation: GitHub Malleable C2)(Citation: Cybereason Cobalt Kitty 2017) The group's backdoor can also exfiltrate data by encoding it in the subdomain field of DNS packets.(Citation: ESET OceanLotus Mar 2019) Additionally, one of the group's macOS backdoors implements a specific format for the C2 packet involving random values.(Citation: ESET OceanLotus macOS April 2019)

Carbanak

Carbanak uses a custom binary protocol for C2 communications.(Citation: FireEye CARBANAK June 2017)

Duqu

Duqu is capable of using its command and control protocol over port 443. However, Duqu is also capable of encapsulating its command protocol over standard application layer protocols. The Duqu command and control protocol implements many of the same features as TCP and is a reliable transport protocol.(Citation: Symantec W32.Duqu)

Chaos

Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.(Citation: Chaos Stolen Backdoor)

Reaver

Some Reaver variants use raw TCP for C2.(Citation: Palo Alto Reaver Nov 2017)

RogueRobin

RogueRobin uses a custom DNS tunneling protocol for C2.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)

DDKONG

DDKONG communicates over raw TCP.(Citation: Rancor Unit42 June 2018)

Seasalt

Seasalt uses a custom binary protocol for C2.(Citation: Mandiant APT1 Appendix)

Regin

The Regin malware platform can use ICMP to communicate between infected computers.(Citation: Kaspersky Regin)

Derusbi

Derusbi binds to a raw socket on a random source port between 31800 and 31900 for C2.(Citation: Fidelis Turbo)

RTM

RTM uses HTTP POST requests with data formatted using a custom protocol.(Citation: ESET RTM Feb 2017)

njRAT

njRAT communicates to the C2 server using a custom protocol over TCP.(Citation: Fidelis njRAT June 2013)

FlawedGrace

FlawedGrace uses a custom binary protocol for its C2 communications.(Citation: Proofpoint TA505 Jan 2019)

Remsec

Remsec is capable of using ICMP, TCP, and UDP for C2.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)

PlugX

PlugX can be configured to use raw TCP or UDP for command and control.(Citation: Dell TG-3390)

InvisiMole

InvisiMole communicates with its C2 servers through a TCP socket.(Citation: ESET InvisiMole June 2018)

Naid

Naid connects to C2 infrastructure and establishes backdoors over a custom communications protocol.(Citation: Symantec Naid June 2012)(Citation: Symantec Naid in the Wild June 2012)

NETEAGLE

If NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.(Citation: FireEye APT30)

UBoatRAT

UBoatRAT has used a custom command and control protocol to communicate with C2. The string ‘488’ is placed at the top of the payload and encrypts the entre buffer with a static key using a simple XOR cipher.(Citation: PaloAlto UBoatRAT Nov 2017)

TYPEFRAME

A TYPEFRAME variant uses fake TLS to communicate with the C2 server.(Citation: US-CERT TYPEFRAME June 2018)

BISCUIT

BISCUIT communicates to the C2 server using a custom protocol.(Citation: Mandiant APT1 Appendix)

Dipsind

A Dipsind variant uses a C2 mechanism similar to port knocking that allows attackers to connect to a victim without leaving the connection open for more than a few sectonds.(Citation: Microsoft PLATINUM April 2016)

Zebrocy

Zebrocy uses raw sockets to communicate with its C2 server.(Citation: Palo Alto Sofacy 06-2018)

Cobalt Strike

Cobalt Strike allows adversaries to modify the way the "beacon" payload communicates. This is called "Malleable C2" in the Cobalt Strike manual and is intended to allow a penetration test team to mimic known APT C2 methods.(Citation: cobaltstrike manual)(Citation: GitHub Malleable C2)

Mitigations

Mitigation Description
Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.

Custom Command and Control Protocol Mitigation

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Detection

Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) Monitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.

References

  1. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  2. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  3. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  4. Manea, D.. (2019, May 25). Emotet v4 Analysis. Retrieved April 16, 2019.
  5. Brandt, A.. (2019, May 5). Emotet 101, stage 4: command and control. Retrieved April 16, 2019.
  6. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  7. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  8. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  9. Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.
  10. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  11. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  12. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  13. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  14. Mudge, R. (2014, July 14). Github Malleable-C2-Profiles safebrowsing.profile. Retrieved June 18, 2017.
  15. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  16. Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.
  17. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  18. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  19. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  20. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  21. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  22. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  23. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  24. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  25. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  26. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  27. Symantec Security Response. (2012, June 18). CVE-2012-1875 Exploited in the Wild - Part 1 (Trojan.Naid). Retrieved February 22, 2018.
  28. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
  29. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  30. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
  31. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  32. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  33. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  34. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  35. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
  36. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  37. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  38. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  39. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  40. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  41. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  42. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  43. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.