Зашифрованный канал
Sub-techniques (2)
Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Примеры процедур |
|
Название | Описание |
---|---|
RCSession |
RCSession can use an encrypted beacon to check in with C2.(Citation: Secureworks BRONZE PRESIDENT December 2019) |
Cryptoistic |
Cryptoistic can engage in encrypted communications with C2.(Citation: SentinelOne Lazarus macOS July 2020) |
Chaes |
Chaes has used encryption for its C2 channel.(Citation: Cybereason Chaes Nov 2020) |
Tropic Trooper |
Tropic Trooper has encrypted traffic with the C2 to prevent network detection.(Citation: TrendMicro Tropic Trooper May 2020) |
PowGoop |
PowGoop can receive encrypted commands from C2.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
Magic Hound |
Magic Hound has used an encrypted http proxy in C2 communications.(Citation: DFIR Phosphorus November 2021) |
PowerLess |
PowerLess can use an encrypted channel for C2 communications.(Citation: Cybereason PowerLess February 2022) |
BITTER |
BITTER has encrypted their C2 communications.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
KV Botnet Activity command and control activity includes transmission of an RSA public key in communication from the server, but this is followed by subsequent negotiation stages that represent a form of handshake similar to TLS negotiation.(Citation: Lumen KVBotnet 2023) |
|
APT29 |
APT29 has used multiple layers of encryption within malware to protect C2 communication.(Citation: Secureworks IRON HEMLOCK Profile) |
Lizar |
Lizar can support encrypted communications between the client and server.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021) |
gh0st RAT |
gh0st RAT has encrypted TCP communications to evade detection.(Citation: Gh0stRAT ATT March 2019) |
In the Triton Safety Instrumented System Attack, TEMP.Veles used cryptcat binaries to encrypt their traffic.(Citation: FireEye TEMP.Veles 2018) |
|
NETWIRE |
NETWIRE can encrypt C2 communications.(Citation: Red Canary NETWIRE January 2020) |
MacMa |
MacMa has used TLS encryption to initialize a custom protocol for C2 communications.(Citation: ESET DazzleSpy Jan 2022) |
Emotet |
Emotet has encrypted data before sending to the C2 server.(Citation: Fortinet Emotet May 2017) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Network Intrusion Prevention |
Use intrusion detection signatures to block traffic at network boundaries. |
SSL/TLS Inspection |
Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity. |
Обнаружение
SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks) In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)
Ссылки
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016.
- Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016.
- Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
- Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
- Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
- FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
- DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
- Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
- Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
- Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
- Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
- BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
- Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
- Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
- FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.
- Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
- M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
- Xiaopeng Zhang. (2017, May 3). Deep Analysis of New Emotet Variant – Part 1. Retrieved April 1, 2019.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.