Proxy: Multi-hop Proxy

To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. [1]

In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging Patch System Image, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the Network Boundary Bridging method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.

ID: T1090.003
Sub-technique of:  T1090
Platforms: Linux, Network, Windows, macOS
Data Sources: Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Version: 2.0
Created: 14 March 2020
Last Modified: 21 October 2020

Procedure Examples

ID Name Description
G0007 APT28

APT28 has routed traffic over Tor and VPN servers to obfuscate their activities.[2]

G0016 APT29

A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.[3]

S0438 Attor

Attor has used Tor for C2 communication.[4]

S0281 Dok

Dok downloads and installs Tor via homebrew.[5]

G0085 FIN4

FIN4 has used Tor to log in to victims' email accounts.[6]

S0342 GreyEnergy

GreyEnergy has used Tor relays for Command and Control servers.[7]

G0100 Inception

Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.[8]

S0276 Keydnap

Keydnap uses a copy of tor2web proxy for HTTPS communications.[9]

S0282 MacSpy

MacSpy uses Tor for command and control.[5]

G0116 Operation Wocao

Operation Wocao has executed commands through the installed web shell via Tor exit nodes.[10]

S0491 StrongPity

StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.[11]

S0183 Tor

Traffic traversing the Tor network will be forwarded to multiple nodes before exiting the Tor network and continuing on to its intended destination.[12]

S0386 Ursnif

Ursnif has used Tor for C2.[13][14]

S0366 WannaCry

WannaCry uses Tor for command and control traffic.[15]

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting.

Detection

When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique.

In context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers. Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted. Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP.

References