Отдельный канал для каждого этапа
Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult. Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features. The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.
Примеры процедур |
|
Название | Описание |
---|---|
APT3 |
An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.(Citation: FireEye Operation Double Tap) |
LunarWeb |
LunarWeb can use one C2 URL for first contact and to upload information about the host computer and two additional C2 URLs for getting commands.(Citation: ESET Turla Lunar toolset May 2024) |
BLACKCOFFEE |
BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines.(Citation: FireEye APT17) |
Lazarus Group |
Lazarus Group has used multi-stage malware components that inject later stages into separate processes.(Citation: Lazarus APT January 2022) |
Valak |
Valak can download additional modules and malware capable of using separate C2 channels.(Citation: Unit 42 Valak July 2020) |
Bazar |
The Bazar loader is used to download and execute the Bazar backdoor.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020) |
Snip3 |
Snip3 can download and execute additional payloads and modules over separate communication channels.(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021) |
Latrodectus |
Latrodectus has used a two-tiered C2 configuration with tier one nodes connecting to the victim and tier two nodes connecting to backend infrastructure.(Citation: Latrodectus APR 2024) |
Uroburos |
Individual Uroburos implants can use multiple communication channels based on one of four available modes of operation.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023) |
MuddyWater |
MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.(Citation: Talos MuddyWater May 2019) |
BACKSPACE |
BACKSPACE attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs "louder" interactions with the malware.(Citation: FireEye APT30) |
Chaos |
After initial compromise, Chaos will download a second stage to establish a more permanent presence on the affected system.(Citation: Chaos Stolen Backdoor) |
APT41 |
APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.(Citation: FireEye APT41 March 2020) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Multi-Stage Channels Mitigation |
Command and control infrastructure used in a multi-stage channel may be blocked if known ahead of time. If unique signatures are present in the C2 traffic, they could also be used as the basis of identifying and blocking the channel. (Citation: University of Birmingham C2) |
Network Intrusion Prevention |
Use intrusion detection signatures to block traffic at network boundaries. |
Обнаружение
Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure. Relating subsequent actions that may result from Discovery of the system and network information or Lateral Movement to the originating process may also yield useful data.
Ссылки
- Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
- Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
- FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
- Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
- Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
- Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
- Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
- Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
- Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
- Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
- FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
- Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.
- Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.