Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

ID: T1646
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Exfiltration
Platforms: Android, iOS
MTC ID: APP-29
Version: 1.1
Created: 01 April 2022
Last Modified: 14 August 2023

Procedure Examples

ID Name Description
S1061 AbstractEmu

AbstractEmu can send large amounts of device data over its C2 channel, including the device’s manufacturer, model, version and serial number, telephone number, and IP address.[1]

S1095 AhRat

AhRat can exfiltrate collected data to the C2, such as audio recordings and files.[2]

S1079 BOULDSPY

BOULDSPY has exfiltrated cached data from infected devices.[3]

S1094 BRATA

BRATA has exfiltrated data to the C2 server using HTTP requests.[4]

C0033 C0033

During C0033, PROMETHIUM used StrongPity to exfiltrate to the C2 server using HTTPS.[5][6]

S1083 Chameleon

Chameleon can send stolen data over HTTP.[7]

S1054 Drinik

Drinik can send stolen data back to the C2 server.[8]

S0507 eSurv

eSurv has exfiltrated data using HTTP PUT requests.[9]

S1080 Fakecalls

Fakecalls can send exfiltrated data back to the C2 server.[10]

S1067 FluBot

FluBot can send contact lists to its C2 server.[11]

S1093 FlyTrap

FlyTrap can use HTTP to exfiltrate data to the C2 server.[12]

S0551 GoldenEagle

GoldenEagle has exfiltrated data via both SMTP and HTTP.[13]

S0421 GolfSpy

GolfSpy exfiltrates data using HTTP POST requests.[14]

S1077 Hornbill

Hornbill can exfiltrate data back to the C2 server using HTTP.[15]

C0016 Operation Dust Storm

During Operation Dust Storm, the threat actors used Android backdoors that would send information and data from a victim's mobile device to the C2 servers.[16]

S0399 Pallas

Pallas exfiltrates data using HTTP.[17]

S0326 RedDrop

RedDrop uses standard HTTP for exfiltration.[18]

S1055 SharkBot

SharkBot can exfiltrate captured user credentials and event logs back to the C2 server. [19]

S1082 Sunbird

Sunbird can exfiltrate compressed ZIP files containing gathered info to C2 infrastructure.[15]

S0424 Triada

Triada utilized HTTP to exfiltrate data through POST requests to the command and control server.[20]

S0418 ViceLeaker

ViceLeaker uses HTTP data exfiltration.[21][22]

S0490 XLoader for iOS

XLoader for iOS has exfiltrated data using HTTP requests.[23]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Exfiltration Over C2 Channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References

  1. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.
  2. Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.
  3. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.
  4. Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.
  5. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.
  6. Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.
  7. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.
  8. Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.
  9. A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.
  10. Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.
  11. Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.
  12. A. Yaswant. (2021, August 9). FlyTrap Android Malware Compromises Thousands of Facebook Accounts. Retrieved September 28, 2023.
  1. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  2. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  3. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.
  4. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  5. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  6. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.
  7. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.
  8. Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.
  9. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.
  10. L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.
  11. Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.