Non-Standard Port
Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)
Procedure Examples |
|
Name | Description |
---|---|
WIRTE |
WIRTE has used HTTPS over ports 2083 and 2087 for C2.(Citation: Kaspersky WIRTE November 2021) |
Silence |
Silence has used port 444 when sending data about the system from the client to the server.(Citation: Group IB Silence Sept 2018) |
PingPull |
PingPull can use HTTPS over port 8080 for C2.(Citation: Unit 42 PingPull Jun 2022) |
Emotet |
Emotet has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.(Citation: Talos Emotet Jan 2019)(Citation: Binary Defense Emotes Wi-Fi Spreader) |
StrongPity |
StrongPity has used HTTPS over port 1402 in C2 communication.(Citation: Bitdefender StrongPity June 2020) |
PoetRAT |
PoetRAT used TLS to encrypt communications over port 143(Citation: Talos PoetRAT April 2020) |
GoldenSpy |
GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.(Citation: Trustwave GoldenSpy June 2020) |
Covenant |
Covenant listeners and controllers can be configured to use non-standard ports.(Citation: Github Covenant) |
SUGARUSH |
SUGARUSH has used port 4585 for a TCP connection to its C2.(Citation: Mandiant UNC3890 Aug 2022) |
Raspberry Robin |
Raspberry Robin will communicate via HTTP over port 8080 for command and control traffic.(Citation: RedCanary RaspberryRobin 2022) |
During Operation Wocao, the threat actors used uncommon high ports for its backdoor C2, including ports 25667 and 47000.(Citation: FoxIT Wocao December 2019) |
|
WellMail |
WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020) |
HOPLIGHT |
HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.(Citation: US-CERT HOPLIGHT Apr 2019) |
ZxShell |
ZxShell can use ports 1985 and 1986 in HTTP/S communication.(Citation: Talos ZxShell Oct 2014) |
Ember Bear |
Ember Bear has used various non-standard ports for C2 communication.(Citation: CISA GRU29155 2024) |
MoonWind |
MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.(Citation: Palo Alto MoonWind March 2017) |
APT32 |
An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.(Citation: ESET OceanLotus Mar 2019) |
During C0018, the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections.(Citation: Costa AvosLocker May 2022) |
|
HARDRAIN |
HARDRAIN binds and listens on port 443 with a FakeTLS method.(Citation: US-CERT HARDRAIN March 2018) |
Pikabot |
Pikabot uses non-standard ports, such as 2967, 2223, and others, for HTTPS command and control communication.(Citation: Elastic Pikabot 2024) |
OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D has used a custom binary protocol over TCP port 443 for C2.(Citation: Unit42 OceanLotus 2017) |
Metamorfo |
Metamorfo has communicated with hosts over raw TCP on port 9999.(Citation: FireEye Metamorfo Apr 2018) |
During the C0032 campaign, TEMP.Veles used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.(Citation: FireEye TRITON 2019) |
|
BendyBear |
BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.(Citation: Unit42 BendyBear Feb 2021) |
Sandworm Team |
Sandworm Team has used port 6789 to accept connections on the group's SSH server.(Citation: ESET BlackEnergy Jan 2016) |
TEMP.Veles |
TEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.(Citation: FireEye TRITON 2019) |
Lazarus Group |
Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs) |
njRAT |
njRAT has used port 1177 for HTTP C2 communications.(Citation: Trend Micro njRAT 2018) |
FIN7 |
FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.(Citation: FireEye FIN7 Aug 2018) |
Sardonic |
Sardonic has the ability to connect with actor-controlled C2 servers using a custom binary protocol over port 443.(Citation: Bitdefender Sardonic Aug 2021) |
MacMa |
MacMa has used TCP port 5633 for C2 Communication.(Citation: ESET DazzleSpy Jan 2022) |
Derusbi |
Derusbi has used unencrypted HTTP on port 443 for C2.(Citation: Fidelis Turbo) |
RotaJakiro |
RotaJakiro uses a custom binary protocol over TCP port 443.(Citation: netlab360 rotajakiro vs oceanlotus) |
RTM |
RTM used Port 44443 for its VNC module.(Citation: ESET RTM Feb 2017) |
Magic Hound |
Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Phosphorus November 2021) |
TrickBot |
Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: Trend Micro Totbrick Oct 2016) Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443. (Citation: Bitdefender Trickbot VNC module Whitepaper 2021) |
QuasarRAT |
QuasarRAT can use port 4782 on the compromised host for TCP callbacks.(Citation: CISA AR18-352A Quasar RAT December 2018) |
BADCALL |
BADCALL communicates on ports 443 and 8000 with a FakeTLS method.(Citation: US-CERT BADCALL) |
DarkVishnya |
DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.(Citation: Securelist DarkVishnya Dec 2018) |
TYPEFRAME |
TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.(Citation: US-CERT TYPEFRAME June 2018) |
KV Botnet Activity generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity.(Citation: Lumen KVBotnet 2023) |
|
APT-C-36 |
APT-C-36 has used port 4050 for C2 communications.(Citation: QiAnXin APT-C-36 Feb2019) |
GravityRAT |
GravityRAT has used HTTP over a non-standard port, such as TCP port 46769.(Citation: Talos GravityRAT) |
APT33 |
APT33 has used HTTP over TCP ports 808 and 880 for command and control.(Citation: Symantec Elfin Mar 2019) |
Bankshot |
Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.(Citation: US-CERT Bankshot Dec 2017) |
RedLeaves |
RedLeaves can use HTTP over non-standard ports, such as 995, for C2.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
Cyclops Blink |
Cyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic.(Citation: NCSC Cyclops Blink February 2022) |
Rocke |
Rocke's miner connects to a C2 server using port 51640.(Citation: Anomali Rocke March 2019) |
Mitigations |
|
Mitigation | Description |
---|---|
Network Segmentation |
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. |
Network Intrusion Prevention |
Use intrusion detection signatures to block traffic at network boundaries. |
Detection
Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2)
References
- Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
- Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
- The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks. Retrieved September 12, 2024.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
- Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
- Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
- Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
- Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
- Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
- Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
- Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
- cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.
- Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
- Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
- CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
- US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
- Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
- US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
- Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
- Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
- Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
- US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
- Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
- Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
- Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
- Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
- Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
- Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
- Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
- Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
- M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
- Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
- Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.
- Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
- Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
- Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
- Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
- Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
- CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
- US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
- Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.
- US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
- Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
- QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
- Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
- US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.