Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Web Service:  Dead Drop Resolver

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

ID: T1102.001
Sub-technique of:  T1102
Tactic(s): Command and Control
Platforms: Linux, macOS, Windows
Permissions Required: User
Data Sources: Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Version: 1.0
Created: 14 Mar 2020
Last Modified: 26 Mar 2020

Procedure Examples

Name Description
Astaroth

Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.(Citation: Securelist Brazilian Banking Malware July 2020)

BADNEWS

BADNEWS collects C2 information via a dead drop resolver.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017)

MiniDuke

Some MiniDuke components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds.(Citation: F-Secure The Dukes)(Citation: Securelist MiniDuke Feb 2013)(Citation: ESET Dukes October 2019)

Grandoreiro

Grandoreiro can obtain C2 information from Google Docs.(Citation: Securelist Brazilian Banking Malware July 2020)

Metamorfo

Metamorfo has used YouTube to store and hide C&C server domains.(Citation: ESET Casbaneiro Oct 2019)

PlugX

PlugX uses Pastebin to store C2 addresses.(Citation: Palo Alto PlugX June 2017)

CharmPower

CharmPower can retrieve C2 domain information from actor-controlled S3 buckets.(Citation: Check Point APT35 CharmPower January 2022)

Rocke

Rocke has used Pastebin to check the version of beaconing malware and redirect to another Pastebin hosting updated malware.(Citation: Anomali Rocke March 2019)

BLACKCOFFEE

BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server.(Citation: FireEye APT17)(Citation: FireEye Periscope March 2018)

RTM

RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names. RTM has also hidden Pony C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain.(Citation: ESET RTM Feb 2017)(Citation: CheckPoint Redaman October 2019)(Citation: Unit42 Redaman January 2019)

APT41

APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.(Citation: FireEye APT41 Aug 2019)

PolyglotDuke

PolyglotDuke can use Twitter, Reddit, Imgur and other websites to get a C2 URL.(Citation: ESET Dukes October 2019)

RTM

RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names.(Citation: ESET RTM Feb 2017)

BRONZE BUTLER

BRONZE BUTLER's MSGET downloader uses a dead drop resolver to access malicious payloads.(Citation: Secureworks BRONZE BUTLER Oct 2017)

Patchwork

Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.(Citation: Securelist Dropping Elephant)

Javali

Javali can read C2 information from Google Documents and YouTube.(Citation: Securelist Brazilian Banking Malware July 2020)

Xbash

Xbash can obtain a webpage hosted on Pastebin to update its C2 domain list.(Citation: Unit42 Xbash Sept 2018)

Mitigations

Mitigation Description
Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Detection

Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)

References

  1. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  2. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  3. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  4. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  5. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  6. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  7. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  8. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  9. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  10. Eisenkraft, K., Olshtein, A. (2019, October 17). Pony’s C&C servers hidden inside the Bitcoin blockchain. Retrieved June 15, 2020.
  11. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  12. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  13. Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.
  14. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  15. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  16. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  17. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  18. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  19. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  20. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  21. Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.