Data Obfuscation: Protocol Impersonation

ID Name
T1001.001 Junk Data
T1001.002 Steganography
T1001.003 Protocol Impersonation

Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.

Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity.

ID: T1001.003
Sub-technique of:  T1001
Platforms: Linux, Windows, macOS
Data Sources: Network Traffic: Network Traffic Content
Version: 1.0
Created: 15 March 2020
Last Modified: 15 March 2020

Procedure Examples

ID Name Description
S0245 BADCALL

BADCALL uses a FakeTLS method during C2.[1]

S0239 Bankshot

Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.[2]

S0076 FakeM

FakeM C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applications, such as MSN and Yahoo! messengers. Additionally, some variants of FakeM use modified SSL code for communications back to C2 servers, making SSL decryption ineffective.[3]

S0181 FALLCHILL

FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server.[4]

S0246 HARDRAIN

HARDRAIN uses FakeTLS to communicate with its C2 server.[5]

G0126 Higaisa

Higaisa used a FakeTLS session for C2 communications.[6]

S0260 InvisiMole

InvisiMole can mimic HTTP protocol with custom HTTP "verbs" HIDE, ZVVP, and NOP.[7][8]

S0387 KeyBoy

KeyBoy uses custom SSL libraries to impersonate SSL in C2 traffic.[9]

G0032 Lazarus Group

Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, evading SSL man-in-the-middle decryption attacks.[10][11][12][13]

S0439 Okrum

Okrum mimics HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.[14]

S0559 SUNBURST

SUNBURST masqueraded its network traffic as the Orion Improvement Program (OIP) protocol.[15]

S0586 TAINTEDSCRIBE

TAINTEDSCRIBE has used FakeTLS for session authentication.[16]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[17]

References