Uncommonly Used Port

Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.

ID: T1065
Tactic: Command And Control
Platform: Linux, macOS, Windows
Data Sources: Netflow/Enclave netflow, Process use of network, Process monitoring
Requires Network:  Yes
Version: 1.0

Procedure Examples

Name Description
Agent Tesla Agent Tesla has enabled TCP on port 587 for C2 communications. [5] [6]
APT3 An APT3 downloader establishes SOCKS5 connections to two separate IP addresses over TCP port 1913 and TCP port 81. [34]
APT32 APT32 backdoor can use HTTP over an uncommon TCP port (e.g 14146) which is specified in the backdoor configuration. [38]
APT33 APT33 has used ports 808 and 880 for command and control. [39]
Bankshot Bankshot binds and listens on port 1058. [3]
Cannon Cannon uses port 587 for C2. [20]
CoinTicker CoinTicker establishes outbound connections for command and control on ports 2280 and 1339. [27]
Emotet Emotet has been observed communicating over non standard ports, including 7080 and 50000. [22] [23] [24] [25]
Gorgon Group Gorgon Group has used a variant of ShiftyBug that communicates with its C2 server over port 6666. [15]
GravityRAT GravityRAT uses port 46769 for C2. [4]
Group5 Group5 C2 servers communicated with malware over TCP 8081, 8282, and 8083. [31]
HiddenWasp HiddenWasp uses port 61061 to communicate with the C2 server. [32]
HOPLIGHT HOPLIGHT has used uncommon TCP "high port" to "high port" communication. [26]
InnaputRAT InnaputRAT uses port 52100 and 5876 for C2 communications. [10]
Lazarus Group Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes uncommonly used ports such as 995, 1816, 465, 1521, 3306, and many others. [36] [37]
Magic Hound Magic Hound malware has communicated with its C2 server over ports 4443 and 3543. [35]
MobileOrder MobileOrder communicates with its C2 server over TCP port 3728. [2]
NanoCore NanoCore communicates to its C2 over ports 6666 and 4782. [15] [16]
njRAT njRAT has been observed communicating over uncommon TCP ports, including 1177 and 8282. [29] [30] [31]
PoisonIvy PoisonIvy opens a backdoor on TCP ports 6868 and 7777. [8]
POWERSTATS POWERSTATS has used ports 8060 and 8888 for C2. [1]
RedLeaves RedLeaves can use port 995 for C2. [11]
Remsec A Remsec module has a default C2 port of 13000. [7]
Revenge RAT Revenge RAT has communicated over TCP port 3333. [28]
TEMP.Veles TEMP.Veles has used ports 4444, 8531, and 50501 for C2. [40]
TrickBot TrickBot uses ports 447 and 8082 for C2 communications. [17] [18] [19]
TYPEFRAME A TYPEFRAME variant can use port 127 for communications. [9]
Volgmer Some Volgmer variants use port 8088 for C2. [12] [13] [14]
Zebrocy Zebrocy uses port 465 for C2. [21]
ZxShell ZxShell uses ports 1985 and 1986 for communication. [33]

Mitigations

Mitigation Description
Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Network Segmentation Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment.

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. [41]

References

  1. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  2. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  3. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  4. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  5. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  6. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  7. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  8. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  9. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  10. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  11. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  12. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  13. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  14. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  15. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  16. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  17. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  18. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  19. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  20. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  21. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  1. Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.
  2. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  3. Brandt, A.. (2019, May 5). Emotet 101, stage 4: command and control. Retrieved April 16, 2019.
  4. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
  5. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  6. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  7. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  8. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  9. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  10. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  11. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  12. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  13. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  14. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  15. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  16. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  17. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  18. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  19. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  20. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.