Proxy: Multi-hop Proxy

To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. [1]

In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging Patch System Image, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the Network Boundary Bridging method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.

ID: T1090.003
Sub-technique of:  T1090
Platforms: Linux, Network, Windows, macOS
Version: 2.0
Created: 14 March 2020
Last Modified: 21 October 2020

Procedure Examples

ID Name Description
G0007 APT28

APT28 has routed traffic over Tor and VPN servers to obfuscate their activities.[2]

G0016 APT29

A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.[3][4]

S0438 Attor

Attor has used Tor for C2 communication.[5]

C0004 CostaRicto

During CostaRicto, the threat actors used a layer of proxies to manage C2 communications.[6]

S0687 Cyclops Blink

Cyclops Blink has used Tor nodes for C2 traffic.[7]

S0281 Dok

Dok downloads and installs Tor via homebrew.[8]

S0384 Dridex

Dridex can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.[9]

G0085 FIN4

FIN4 has used Tor to log in to victims' email accounts.[10]

S0342 GreyEnergy

GreyEnergy has used Tor relays for Command and Control servers.[11]

G0100 Inception

Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.[12]

S0604 Industroyer

Industroyer used Tor nodes for C2.[13]

S0276 Keydnap

Keydnap uses a copy of tor2web proxy for HTTPS communications.[14]

S0641 Kobalos

Kobalos can chain together multiple compromised machines as proxies to reach their final targets.[15][16]

G0065 Leviathan

Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.[17]

S0282 MacSpy

MacSpy uses Tor for command and control.[8]

C0014 Operation Wocao

During Operation Wocao, threat actors executed commands through the installed web shell via Tor exit nodes.[18]

S0623 Siloscape

Siloscape uses Tor to communicate with C2.[19]

S0491 StrongPity

StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.[20]

S0183 Tor

Traffic traversing the Tor network will be forwarded to multiple nodes before exiting the Tor network and continuing on to its intended destination.[21]

S0022 Uroburos

Uroburos can use implants on multiple compromised machines to proxy communications through its worldwide P2P network.[22]

S0386 Ursnif

Ursnif has used Tor for C2.[23][24]

S0366 WannaCry

WannaCry uses Tor for command and control traffic.[25]

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

References

  1. Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020.
  2. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
  3. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  4. Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
  5. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  6. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  7. NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.
  8. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  9. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
  10. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  11. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  12. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  13. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.
  1. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
  2. M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.
  3. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.
  4. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  5. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  6. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  7. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  8. Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017.
  9. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  10. NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019.
  11. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
  12. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.