Standard Cryptographic Protocol

Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.

ID: T1032
Tactic: Command And Control
Platform: Linux, macOS, Windows
Data Sources: Packet capture, Netflow/Enclave netflow, Malware reverse engineering, Process use of network, Process monitoring, SSL/TLS inspection
Requires Network:  Yes
Version: 1.0

Procedure Examples

Name Description
3PARA RAT 3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS. [45]
adbupd adbupd contains a copy of the OpenSSL library to encrypt C2 traffic. [21]
ADVSTORESHELL A variant of ADVSTORESHELL encrypts some C2 with 3DES and RSA. [24]
APT33 APT33 has used AES for encryption of command and control traffic. [54]
Azorult Azorult can encrypt C2 traffic using XOR. [41] [42]
BISCUIT BISCUIT uses SSL for encrypting C2 communications. [43]
Bisonal Some Bisonal samples encrypt C2 communications with RC4. [28]
BRONZE BUTLER BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. [7]
CallMe CallMe uses AES to encrypt C2 traffic. [9]
Carbanak Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode) and Base64 encoding. [13] [14]
Chaos Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES. [17]
ChChes ChChes can encrypt C2 traffic with AES. [36] [37]
CHOPSTICK CHOPSTICK encrypts C2 communications with RC4 as well as TLS. [11]
Cobalt Group Cobalt Group has used the Plink utility to create SSH tunnels. [61]
Comnie Comnie encrypts command and control communications with RC4. [22]
Daserf Daserf uses RC4 encryption to obfuscate HTTP traffic. [7]
Dipsind Dipsind encrypts C2 data with AES256 in ECB mode. [21]
Downdelph Downdelph uses RC4 to encrypt C2 responses. [47]
Dridex Dridex has encrypted traffic with RSA and RC4. [57]
Duqu The Duqu command and control protocol's data stream can be encrypted with AES-CBC. [48]
Elise Elise encrypts exfiltrated data with RC4. [27]
Emotet Emotet is known to use RSA keys for encrypting C2 traffic. [53]
Empire Empire can use TLS to encrypt its C2 channel. [5]
Epic Epic encrypts commands from the C2 server using a hardcoded key. [40]
FakeM Some variants of FakeM use RC4 to encrypt C2 traffic. [9]
Felismus Some Felismus samples use AES to encrypt C2 traffic. [32]
FIN6 FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers. [63]
FIN8 FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure. [60]
FlawedAmmyy FlawedAmmyy has used SEAL encryption during the initial C2 handshake. [55]
gh0st RAT gh0st RAT uses RC4 and XOR to encrypt C2 traffic. [34]
GreyEnergy GreyEnergy encrypts communications using AES256 and RSA-2048. [35]
H1N1 H1N1 encrypts C2 traffic using an RC4 key. [6]
Helminth Helminth encrypts data sent to its C2 server over HTTP with RC4. [31]
Koadic Koadic can use SSL and TLS for communications. [1]
Lazarus Group Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. [65]
LightNeuron LightNeuron uses AES to encrypt C2 traffic. [58]
Machete Machete has relied on TLS-encrypted FTP to transfer data out of target environments. [67]
MobileOrder MobileOrder uses AES to encrypt C2 communications. [9]
MoonWind MoonWind encrypts C2 traffic using RC4 with a static key. [12]
NanoCore NanoCore uses DES to encrypt the C2 traffic. [33]
NDiskMonitor NDiskMonitor uses AES to encrypt certain information sent over its C2 channel. [46]
NETEAGLE NETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key "ScoutEagle." [16]
Nidiran Nidiran uses RC4 to encrypt C2 traffic. [10]
OilRig OilRig used the Plink utility and other tools to create tunnels to C2 servers. [64]
PoisonIvy PoisonIvy uses the Camellia cipher to encrypt communications. [20]
POSHSPY POSHSPY encrypts C2 traffic with AES and RSA. [30]
POWERSTATS POWERSTATS has encrypted C2 traffic with RSA. [38]
POWERTON POWERTON has used AES for encrypting C2 traffic. [54]
Prikormka Prikormka encrypts some C2 traffic with the Blowfish cipher. [39]
Pupy Pupy's default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES. [4]
QuasarRAT QuasarRAT uses AES to encrypt network communication. [2] [3]
RedLeaves RedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear. [29]
Remsec Remsec's network loader encrypts C2 traffic with RSA and RC6. [23]
RIPTIDE APT12 has used the RIPTIDE RAT, which communicates over HTTP with a payload encrypted with RC4. [8]
SeaDuke SeaDuke C2 traffic has been encrypted with RC4 and AES. [18] [19]
ServHelper ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP. [56]
SNUGRIDE SNUGRIDE encrypts C2 traffic using AES with a static key. [15]
Stealth Falcon Stealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key. [59]
Taidoor Taidoor uses RC4 to encrypt the message body of HTTP content. [62]
Tropic Trooper Tropic Trooper uses SSL to connect to C2 servers. [66]
UPPERCUT Some versions of UPPERCUT have used the hard-coded string “this is the encrypt key” for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address. [44]
Volgmer Some Volgmer variants use SSL to encrypt C2 communications. [25]
XTunnel XTunnel uses SSL/TLS and RC4 to encrypt traffic. [26] [11]
Zebrocy Zebrocy uses SSL and AES ECB for encrypting C2 communications. [51] [52]
ZeroT ZeroT has used RC4 to encrypt C2 traffic. [49] [50]

Mitigations

Mitigation Description
Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
SSL/TLS Inspection SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.

Detection

SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels. [68] SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation. [69]

If malware uses encryption with symmetric keys, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures. [70]

In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. [71]

References

  1. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  2. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  3. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  4. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  5. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  6. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  7. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  8. Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
  9. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  10. DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
  11. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  12. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  13. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  14. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  15. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  16. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  17. Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.
  18. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  19. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  20. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
  21. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  22. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  23. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  24. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  25. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  26. Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
  27. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  28. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  29. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  30. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  31. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  32. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  33. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  34. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  35. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  36. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  1. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  2. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  3. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  4. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  5. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  6. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  7. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  8. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  9. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  10. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  11. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  12. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  13. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  14. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  15. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  16. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  17. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  18. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  19. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  20. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  21. Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.
  22. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  23. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  24. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  25. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  26. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  27. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  28. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  29. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  30. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
  31. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  32. Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016.
  33. Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016.
  34. Fidelis Cybersecurity. (2015, August 4). Looking at the Sky for a DarkComet. Retrieved April 5, 2016.
  35. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.