Encrypted Channel:  Симметричное шифрование

TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.(Citation: Fidelis TrickBot Oct 2016)Newer versions of TrickBot have been known to use `bcrypt` to encrypt and digitally sign responses to their C2 server. (Citation: Bitdefender Trickbot C2 infra Nov 2020)

BLINDINGCAN has encrypted its C2 traffic with RC4.(Citation: US-CERT BLINDINGCAN Aug 2020)

Ninja can XOR and AES encrypt C2 messages.(Citation: Kaspersky ToddyCat June 2022)

Earlier Pikabot variants use a custom encryption procedure leveraging multiple mechanisms including AES with multiple rounds of Base64 encoding for its command and control communication.(Citation: Zscaler Pikabot 2023) Later Pikabot variants eliminate the use of AES and instead use RC4 encryption for transmitted information.(Citation: Elastic Pikabot 2024)

Bumblebee can encrypt C2 requests and responses with RC4(Citation: Proofpoint Bumblebee April 2022)

Torisma has encrypted its C2 communications using XOR and VEST-32.(Citation: McAfee Lazarus Nov 2020)

Stuxnet encodes the payload of system information sent to the command and control servers using a one byte 0xFF XOR key. Stuxnet also uses a 31-byte long static byte string to XOR data sent to command and control servers. The servers use a different static key to encrypt replies to the implant.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)

Downdelph uses RC4 to encrypt C2 responses.(Citation: ESET Sednit Part 3)

RotaJakiro encrypts C2 communication using a combination of AES, XOR, ROTATE encryption, and ZLIB compression.(Citation: RotaJakiro 2021 netlab360 analysis)

Sardonic has the ability to use an RC4 key to encrypt communications to and from actor-controlled C2 servers.(Citation: Bitdefender Sardonic Aug 2021)

The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.(Citation: Lotus Blossom Dec 2015)

KEYMARBLE uses a customized XOR algorithm to encrypt C2 communications.(Citation: US-CERT KEYMARBLE Aug 2018)

Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.(Citation: GitHub Sliver Encryption)

TAMECAT has used AES to encrypt C2 traffic.(Citation: Mandiant APT42-untangling)

RedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.(Citation: PWC Cloud Hopper Technical Annex April 2017)

Some Felismus samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys.(Citation: Forcepoint Felismus Mar 2017)

xCaon has encrypted data sent to the C2 server using a XOR key.(Citation: Checkpoint IndigoZebra July 2021)

PLAINTEE encodes C2 beacons using XOR.(Citation: Rancor Unit42 June 2018)

Nebulae can use RC4 and XOR to encrypt C2 communications.(Citation: Bitdefender Naikon April 2021)

Lurid performs XOR encryption.(Citation: Villeneuve 2011)

RainyDay can use RC4 to encrypt C2 communications.(Citation: Bitdefender Naikon April 2021)

NETWIRE can use AES encryption for C2 data transferred.(Citation: Red Canary NETWIRE January 2020)

HyperStack has used RSA encryption for C2 communications.(Citation: Accenture HyperStack October 2020)

Before being appended to image files, HAMMERTOSS commands are encrypted with a key composed of both a hard-coded value and a string contained on that day's tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day's tweet, and the image file containing the command.(Citation: FireEye APT29)

CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.(Citation: F-Secure Cosmicd