Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.

These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

ID: T1102
Tactic: Command And Control, Defense Evasion
Platform: Linux, macOS, Windows
Permissions Required: User
Data Sources: Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Requires Network:  Yes
Defense Bypassed: Binary Analysis, Log analysis, Firewall
Contributors: Anastasios Pingios
Version: 1.0

Procedure Examples

Name Description
APT12

APT12 has used blogs and WordPress for C2 infrastructure.[40]

APT37

APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.[10][36]

APT41

APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.[41]

BADNEWS

BADNEWS can use multiple C2 channels, including RSS feeds, Github, forums, and blogs. BADNEWS also collects C2 information via a dead drop resolver.[17][18][19]

BLACKCOFFEE

BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server. It has also obfuscated its C2 traffic as normal traffic to sites such as Github.[15][16]

BRONZE BUTLER

BRONZE BUTLER's MSGET downloader uses a dead drop resolver to access malicious payloads.[31]

CALENDAR

The CALENDAR malware communicates through the use of events in Google Calendar.[6][23]

Carbanak

Carbanak has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.[34]

CloudDuke

One variant of CloudDuke uses a Microsoft OneDrive account to exchange commands and stolen data with its operators.[8]

Comnie

Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.[3]

CozyCar

CozyCar uses Twitter as a backup C2 channel to Twitter accounts specified in its configuration file.[5]

DOGCALL

DOGCALL is capable of leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex for C2.[10][13]

Empire

Empire can use Dropbox and GitHub for C2.[1]

FIN6

FIN6 has used Pastebin to host content for the operation.
[39]

FIN7

FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.[35]

GLOOXMAIL

GLOOXMAIL communicates to servers operated by Google using the Jabber/XMPP protocol.[6][7]

HAMMERTOSS

The "tDiscoverer" variant of HAMMERTOSS establishes a C2 channel by downloading resources from Web services like Twitter and GitHub. HAMMERTOSS binaries contain an algorithm that generates a different Twitter handle for the malware to check for instructions every day.[2]

KARAE

KARAE can use public cloud-based storage providers for command and control.[10]

Kazuar

Kazuar has used compromised WordPress blogs as C2 servers.[4]

Leviathan

Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.[16]

LOWBALL

LOWBALL uses the Dropbox cloud storage service for command and control.[14]

Magic Hound

Magic Hound malware can use a SOAP Web service to communicate with its C2 server.[37]

MiniDuke

Some MiniDuke components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds.[8][9]

OnionDuke

OnionDuke uses Twitter as a backup C2 method. It also has a module designed to post messages to the Russian VKontakte social media site.[8]

Orz

Orz has used Technet and Pastebin web pages for command and control.[25]

Patchwork

Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.[38]

PlugX

PlugX uses Pastebin to store C2 addresses.[24]

POORAIM

POORAIM has used AOL Instant Messenger for C2.[10]

PowerStallion

PowerStallion uses Microsoft OneDrive as a C2 server via a network drive mapped with net use.[29]

Revenge RAT

Revenge RAT used blogpost.com as its primary command and control server during a campaign.[28]

RogueRobin

RogueRobin has used Google Drive as a Command and Control channel.[27]

ROKRAT

ROKRAT leverages legitimate social networking sites and cloud platforms (Twitter, Yandex, and Mediafire) for command and control communications.[11][12]

RTM

RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names.[30]

SLOWDRIFT

SLOWDRIFT uses cloud based services for C2.[10]

Turla

A Turla JavaScript backdoor has used Google Apps Script as its C2 server.[32][33]

Twitoor

Twitoor uses Twitter for command and control.[20]

UBoatRAT

UBoatRAT has used GitHub and a public blog service in Hong Kong for C2 communications.[21]

Xbash

Xbash can obtain a webpage hosted on Pastebin to update its C2 domain list.[26]

yty

yty communicates to the C2 server by retrieving a Google Doc.[22]

Mitigations

Mitigation Description
Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

Restrict Web-Based Content

Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services.

Detection

Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. [42]

References

  1. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  2. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  3. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  4. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  5. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  6. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  7. CyberESI. (2011). TROJAN.GTALK. Retrieved June 29, 2015.
  8. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  9. Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.
  10. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  11. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  12. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  13. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  14. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  15. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  16. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  17. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  18. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  19. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  20. ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.
  21. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
  1. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  2. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  3. Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.
  4. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  5. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  6. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  7. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.
  8. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  9. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  10. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  11. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  12. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  13. Griffin, N. (2017, January 17). CARBANAK GROUP USES GOOGLE FOR MALWARE COMMAND-AND-CONTROL. Retrieved February 15, 2017.
  14. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  15. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  16. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  17. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  18. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  19. Meyers, A. (2013, March 29). Whois Numbered Panda. Retrieved January 14, 2016.
  20. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  21. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.