Encrypted Channel

Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.

ID: T1521
Sub-techniques:  T1521.001, T1521.002, T1521.003
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 2.0
Created: 01 October 2019
Last Modified: 05 April 2022

Procedure Examples

ID Name Description
S1095 AhRat

AhRat can communicate with the C2 using HTTPS requests.[1]

S0302 Twitoor

Twitoor encrypts its C2 communication.[2]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.

References