Протоколы (кроме прикладного уровня)
Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
Примеры процедур |
|
Название | Описание |
---|---|
Anchor |
Anchor has used ICMP in C2 communications.(Citation: Cyberreason Anchor December 2019) |
FakeM |
Some variants of FakeM use SSL to communicate with C2 servers.(Citation: Scarlet Mimic Jan 2016) |
Aria-body |
Aria-body has used TCP in C2 communications.(Citation: CheckPoint Naikon May 2020) |
Clambling |
Clambling has the ability to use TCP and UDP for communication.(Citation: Trend Micro DRBControl February 2020) |
MacMa |
MacMa has used a custom JSON-based protocol for its C&C communications.(Citation: ESET DazzleSpy Jan 2022) |
WINDSHIELD |
WINDSHIELD C2 traffic can communicate via TCP raw sockets.(Citation: FireEye APT32 May 2017) |
Gelsemium |
Gelsemium has the ability to use TCP and UDP in C2 communications.(Citation: ESET Gelsemium June 2021) |
TSCookie |
TSCookie can use ICMP to receive information on the destination server.(Citation: JPCert BlackTech Malware September 2019) |
PlugX |
PlugX can be configured to use raw TCP or UDP for command and control.(Citation: Dell TG-3390) |
AuTo Stealer |
AuTo Stealer can use TCP to communicate with command and control servers.(Citation: MalwareBytes SideCopy Dec 2021) |
RARSTONE |
RARSTONE uses SSL to encrypt its communication with its C2 server.(Citation: Aquino RARSTONE) |
Drovorub |
Drovorub can use TCP to communicate between its agent and client modules.(Citation: NSA/FBI Drovorub August 2020) |
InvisiMole |
InvisiMole has used TCP to download additional modules.(Citation: ESET InvisiMole June 2020) |
Winnti for Linux |
Winnti for Linux has used ICMP, custom TCP, and UDP in outbound communications.(Citation: Chronicle Winnti for Linux May 2019) |
Operation Wocao |
Operation Wocao has used a custom protocol for command and control.(Citation: FoxIT Wocao December 2019) |
Nebulae |
Nebulae can use TCP in C2 communications.(Citation: Bitdefender Naikon April 2021) |
Metamorfo |
Metamorfo has used raw TCP for C2.(Citation: FireEye Metamorfo Apr 2018) |
Remsec |
Remsec is capable of using ICMP, TCP, and UDP for C2.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report) |
Winnti for Windows |
Winnti for Windows can communicate using custom TCP.(Citation: Novetta Winnti April 2015) |
MoonWind |
MoonWind completes network communication via raw sockets.(Citation: Palo Alto MoonWind March 2017) |
HiddenWasp |
HiddenWasp communicates with a simple network protocol over TCP.(Citation: Intezer HiddenWasp Map 2019) |
WellMail |
WellMail can use TCP for C2 communications.(Citation: CISA WellMail July 2020) |
Mythic |
Mythic supports WebSocket and TCP-based C2 profiles.(Citation: Mythc Documentation) |
Misdat |
Misdat network traffic communicates over a raw socket.(Citation: Cylance Dust Storm) |
Pay2Key |
Pay2Key has sent its public key to the C2 server over TCP.(Citation: Check Point Pay2Key November 2020) |
Reaver |
Some Reaver variants use raw TCP for C2.(Citation: Palo Alto Reaver Nov 2017) |
SombRAT |
SombRAT has the ability to use TCP sockets to send data and ICMP to ping the C2 server.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021) |
PipeMon |
The PipeMon communication module can use a custom protocol based on TLS over TCP.(Citation: ESET PipeMon May 2020) |
Bandook |
Bandook has a command built in to use a raw TCP socket.(Citation: CheckPoint Bandook Nov 2020) |
QuasarRAT |
QuasarRAT can use TCP for C2 communication.(Citation: CISA AR18-352A Quasar RAT December 2018) |
APT29 |
APT29 has used TCP for C2 communications.(Citation: FireEye APT29 Nov 2018) |
gh0st RAT |
gh0st RAT has used an encrypted protocol within TCP segments to communicate with the C2.(Citation: Gh0stRAT ATT March 2019) |
ShadowPad |
ShadowPad has used UDP for C2 communications.(Citation: Kaspersky ShadowPad Aug 2017) |
SDBbot |
SDBbot has the ability to communicate with C2 with TCP over port 443.(Citation: Proofpoint TA505 October 2019) |
PingPull |
PingPull variants have the ability to communicate with C2 servers using ICMP or TCP.(Citation: Unit 42 PingPull Jun 2022) |
Carbon |
Carbon uses TCP and UDP for C2.(Citation: ESET Carbon Mar 2017) |
RainyDay |
RainyDay can use TCP in C2 communications.(Citation: Bitdefender Naikon April 2021) |
NETEAGLE |
If NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.(Citation: FireEye APT30) |
LookBack |
LookBack uses a custom binary protocol over sockets for C2 communications.(Citation: Proofpoint LookBack Malware Aug 2019) |
Bisonal |
Bisonal has used raw sockets for network communication.(Citation: Talos Bisonal Mar 2020) |
QakBot |
QakBot has the ability use TCP to send or receive C2 packets.(Citation: Kaspersky QakBot September 2021) |
BUBBLEWRAP |
BUBBLEWRAP can communicate using SOCKS.(Citation: FireEye admin@338) |
Umbreon |
Umbreon provides access to the system via SSH or any other protocol that uses PAM to authenticate.(Citation: Umbreon Trend Micro) |
Derusbi |
Derusbi binds to a raw socket on a random source port between 31800 and 31900 for C2.(Citation: Fidelis Turbo) |
PLATINUM |
PLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.(Citation: Microsoft PLATINUM June 2017) |
Cobalt Strike |
Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020) |
RCSession |
RCSession has the ability to use TCP and UDP in C2 communications.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020) |
During Operation Wocao, threat actors used a custom protocol for command and control.(Citation: FoxIT Wocao December 2019) |
|
Penquin |
The Penquin C2 mechanism is based on TCP and UDP packets.(Citation: Kaspersky Turla Penquin December 2014)(Citation: Leonardo Turla Penquin May 2020) |
Mis-Type |
Mis-Type network traffic can communicate over a raw socket.(Citation: Cylance Dust Storm) |
WarzoneRAT |
WarzoneRAT can communicate with its C2 server via TCP over port 5200.(Citation: Check Point Warzone Feb 2020) |
Crimson |
Crimson uses a custom TCP protocol for C2.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020) |
FIN6 |
FIN6 has used Metasploit Bind and Reverse TCP stagers.(Citation: Trend Micro FIN6 October 2019) |
BackdoorDiplomacy |
BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities.(Citation: ESET BackdoorDiplomacy Jun 2021) |
Cryptoistic |
Cryptoistic can use TCP in communications with C2.(Citation: SentinelOne Lazarus macOS July 2020) |
APT3 |
An APT3 downloader establishes SOCKS5 connections for its initial C2.(Citation: FireEye Operation Double Tap) |
Regin |
The Regin malware platform can use ICMP to communicate between infected computers.(Citation: Kaspersky Regin) |
BITTER |
BITTER has used TCP for C2 communications.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
NETWIRE |
NETWIRE can use TCP in C2 communications.(Citation: Red Canary NETWIRE January 2020)(Citation: Unit 42 NETWIRE April 2020) |
HAFNIUM |
HAFNIUM has used TCP for C2.(Citation: Microsoft HAFNIUM March 2020) |
FunnyDream |
FunnyDream can communicate with C2 over TCP and UDP.(Citation: Bitdefender FunnyDream Campaign November 2020) |
PHOREAL |
PHOREAL communicates via ICMP for C2.(Citation: FireEye APT32 May 2017) |
SUGARUSH |
SUGARUSH has used TCP for C2.(Citation: Mandiant UNC3890 Aug 2022) |
Taidoor |
Taidoor can use TCP for C2 communications.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Network Intrusion Prevention |
Use intrusion detection signatures to block traffic at network boundaries. |
Filter Network Traffic |
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. |
Standard Non-Application Layer Protocol Mitigation |
Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2) |
Network Segmentation |
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. |
Обнаружение
Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.(Citation: Cisco Blog Legacy Device Attacks) Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) Monitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.
Ссылки
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
- Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014.
- Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.
- Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014.
- Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
- Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
- Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
- Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.
- Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
- Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
- Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
- Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
- Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
- Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
- Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
- Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
- Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
- Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
- Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
- Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
- Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
- McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
- The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
- Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
- CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
- Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.
- Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
- Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
- CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
- Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
- Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
- CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
- Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
- Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.
- Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
- Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
- M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
- Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
- Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
- NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
- Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
- Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
- Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021.
- Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
- Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
- Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.
- CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
- Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
- ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
- MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
- Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
- Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
- Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
- Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
Связанные риски
Риск | Связи | |
---|---|---|
Передача данных по скрытым каналам из-за
возможности маскировки вредоносного трафика под легитимный в сетевом трафике
Конфиденциальность
Раскрытие информации
|
|
|
Несанкционированное управление ИТ инфраструктурой из-за
возможности маскировки вредоносного трафика под легитимный в сетевом трафике
Повышение привилегий
Целостность
НСД
|
|
|
Утечка информации из-за
возможности маскировки вредоносного трафика под легитимный в сетевом трафике
Конфиденциальность
Раскрытие информации
|
|
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.