Зашифрованный канал
Sub-techniques (2)
Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Примеры процедур |
|
| Название | Описание |
|---|---|
| RCSession |
RCSession can use an encrypted beacon to check in with C2.(Citation: Secureworks BRONZE PRESIDENT December 2019) |
| Cryptoistic |
Cryptoistic can engage in encrypted communications with C2.(Citation: SentinelOne Lazarus macOS July 2020) |
| Chaes |
Chaes has used encryption for its C2 channel.(Citation: Cybereason Chaes Nov 2020) |
| Tropic Trooper |
Tropic Trooper has encrypted traffic with the C2 to prevent network detection.(Citation: TrendMicro Tropic Trooper May 2020) |
| PowGoop |
PowGoop can receive encrypted commands from C2.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
| PowerLess |
PowerLess can use an encrypted channel for C2 communications.(Citation: Cybereason PowerLess February 2022) |
| BITTER |
BITTER has encrypted their C2 communications.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| APT29 |
APT29 has used multiple layers of encryption within malware to protect C2 communication.(Citation: Secureworks IRON HEMLOCK Profile) |
| Lizar |
Lizar can support encrypted communications between the client and server.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021) |
| gh0st RAT |
gh0st RAT has encrypted TCP communications to evade detection.(Citation: Gh0stRAT ATT March 2019) |
| NETWIRE |
NETWIRE can encrypt C2 communications.(Citation: Red Canary NETWIRE January 2020) |
| MacMa |
MacMa has used TLS encryption to initialize a custom protocol for C2 communications.(Citation: ESET DazzleSpy Jan 2022) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Network Intrusion Prevention |
Use intrusion detection signatures to block traffic at network boundaries. |
| SSL/TLS Inspection |
Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity. |
Обнаружение
SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks) In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)
Ссылки
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016.
- Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016.
- Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
- Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
- M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
- Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
- Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
- Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
- Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
- FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
- Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
- Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
- BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
- Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.