Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

ID: T1102
Sub-techniques:  .001 .002 .003
Tactic(s): Command and Control
Platforms: Linux, macOS, Windows
Data Sources: Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Version: 1.2
Created: 31 May 2017
Last Modified: 07 Oct 2024

Procedure Examples

Name Description

APT41 DUST used compromised Google Workspace accounts for command and control.(Citation: Google Cloud APT41 2024)

Nightdoor

Nightdoor can utilize Microsoft OneDrive or Google Drive for command and control purposes.(Citation: ESET EvasivePanda 2024)(Citation: Symantec Daggerfly 2024)

Latrodectus

Latrodectus has used Google Firebase to download malicious installation scripts.(Citation: Palo Alto Latrodectus Activity June 2024)

During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee.(Citation: Crowdstrike TELCO BPO Campaign December 2022)

RedCurl

RedCurl has used web services to download malicious files.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)

Inception

Inception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Symantec Inception Framework March 2018)

Snip3

Snip3 can download additional payloads from web services including Pastebin and top4top.(Citation: Morphisec Snip3 May 2021)

Raspberry Robin

Raspberry Robin second stage payloads can be hosted as RAR files, containing a malicious EXE and DLL, on Discord servers.(Citation: HP RaspberryRobin 2024)

Carbon

Carbon can use Pastebin to receive C2 commands.(Citation: Accenture HyperStack October 2020)

Rocke

Rocke has used Pastebin, Gitee, and GitLab for Command and Control.(Citation: Anomali Rocke March 2019)(Citation: Talos Rocke August 2018)

Chimera

Chimera has used Google Cloud's appspot service to host C2 servers.(Citation: Cycraft Chimera April 2020)

BoomBox

BoomBox can download files from Dropbox using a hardcoded access token.(Citation: MSTIC Nobelium Toolset May 2021)

SharpStage

SharpStage has used a legitimate web service for evading detection.(Citation: Cybereason Molerats Dec 2020)

During Operation Spalax, the threat actors used OneDrive and MediaFire to host payloads.(Citation: ESET Operation Spalax Jan 2021)

FIN6

FIN6 has used Pastebin and Google Storage to host content for their operations.(Citation: FireEye FIN6 Apr 2019)

SMOKEDHAM

SMOKEDHAM has used Google Drive and Dropbox to host files downloaded by victims via malicious links.(Citation: FireEye Shining A Light on DARKSIDE May 2021)

LazyScripter

LazyScripter has used GitHub to host its payloads to operate spam campaigns.(Citation: MalwareBytes LazyScripter Feb 2021)

DropBook

DropBook can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)

Bumblebee

Bumblebee has been downloaded to victim's machines from OneDrive.(Citation: Proofpoint Bumblebee April 2022)

FIN8

FIN8 has used sslip.io, a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control.(Citation: Bitdefender FIN8 July 2021)

Hildegard

Hildegard has downloaded scripts from GitHub.(Citation: Unit 42 Hildegard Malware)

EXOTIC LILY

EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads.(Citation: Google EXOTIC LILY March 2022)

BADHATCH

BADHATCH can be utilized to abuse `sslip.io`, a free IP to domain mapping service, as part of actor-controlled C2 channels.(Citation: BitDefender BADHATCH Mar 2021)

Sibot

Sibot has used a legitimate compromised website to download DLLs to the victim's machine.(Citation: MSTIC NOBELIUM Mar 2021)

Ember Bear

Ember Bear has used Discord's content delivery network (CDN) to deliver malware and malicious scripts to a compromised host.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

NETWIRE

NETWIRE has used web services including Paste.ee to host payloads.(Citation: FireEye NETWIRE March 2019)

CharmPower

CharmPower can download additional modules from actor-controlled Amazon S3 buckets.(Citation: Check Point APT35 CharmPower January 2022)

WhisperGate

WhisperGate can download additional payloads hosted on a Discord channel.(Citation: Crowdstrike WhisperGate January 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)

ngrok

ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.(Citation: Zdnet Ngrok September 2018)

DarkTortilla

DarkTortilla can retrieve its primary payload from public sites such as Pastebin and Textbin.(Citation: Secureworks DarkTortilla Aug 2022)

Doki

Doki has used the dogechain.info API to generate a C2 address.(Citation: Intezer Doki July 20)

Brute Ratel C4

Brute Ratel C4 can use legitimate websites for external C2 channels including Slack, Discord, and MS Teams.(Citation: Palo Alto Brute Ratel July 2022)

CHIMNEYSWEEP

CHIMNEYSWEEP has the ability to use use Telegram channels to return a list of commands to be executed, to download additional payloads, or to create a reverse shell.(Citation: Mandiant ROADSWEEP August 2022)

GuLoader

GuLoader has the ability to download malware from Google Drive.(Citation: Medium Eli Salem GuLoader April 2021)

Fox Kitten

Fox Kitten has used Amazon Web Services to host C2.(Citation: ClearSky Pay2Kitten December 2020)

Bazar

Bazar downloads have been hosted on Google Docs.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)

Turla

Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.(Citation: Accenture HyperStack October 2020)(Citation: ESET Crutch December 2020)

Mustang Panda

Mustang Panda has used DropBox URLs to deliver variants of PlugX.(Citation: Proofpoint TA416 Europe March 2022)

SocGholish

SocGholish has used Amazon Web Services to host second-stage servers.(Citation: SentinelOne SocGholish Infrastructure November 2022)

Gamaredon Group

Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.(Citation: ESET Gamaredon June 2020)

Ngrok

Ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.(Citation: Zdnet Ngrok September 2018)

APT32

APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.(Citation: Volexity Ocean Lotus November 2020)

During C0017, APT41 used the Cloudflare services for C2 communications.(Citation: Mandiant APT41)

TeamTNT

TeamTNT has leveraged iplogger.org to send collected data back to C2.(Citation: Aqua TeamTNT August 2020)(Citation: Cisco Talos Intelligence Group)

Mitigations

Mitigation Description
Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Web Service Mitigation

Firewalls and Web proxies can be used to enforce external network communication policy. It may be difficult for an organization to block particular services because so many of them are commonly used during the course of business. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol or encoded commands used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Detection

Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)

References

  1. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
  2. Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.
  3. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  4. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  5. Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft Graph API for C&C communication. Retrieved July 1, 2024.
  6. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  7. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
  8. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
  9. Unit 42. (2024, June 25). 2024-06-25-IOCs-from-Latrodectus-activity. Retrieved September 13, 2024.
  10. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  11. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  12. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  13. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  14. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  15. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
  16. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
  17. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  18. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  19. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  20. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  21. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  22. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  23. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  24. FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.
  25. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  26. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  27. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  28. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
  29. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  30. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
  31. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  32. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  33. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  34. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  35. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
  36. MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022.
  37. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  38. Crowdstrike. (2022, January 19). Technical Analysis of the WhisperGate Malicious Bootloader. Retrieved March 10, 2022.
  39. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  40. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  41. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  42. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  43. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  44. Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.
  45. ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020.
  46. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
  47. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  48. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  49. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  50. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.
  51. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  52. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  53. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  54. Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.
  55. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.