Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

ID: T1102
Sub-techniques:  T1102.001, T1102.002, T1102.003
Platforms: Linux, Windows, macOS
Permissions Required: User
Data Sources: Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Contributors: Anastasios Pingios
Version: 1.1
Created: 31 May 2017
Last Modified: 26 March 2020

Procedure Examples

ID Name Description
G0050 APT32

APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.[1]

S0534 Bazar

Bazar downloads have been hosted on Google Docs.[2][3]

S0335 Carbon

Carbon can use Pastebin to receive C2 commands.[4]

S0600 Doki

Doki has used the dogechain.info API to generate a C2 address.[5]

S0547 DropBook

DropBook can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions.[6][7]

G0037 FIN6

FIN6 has used Pastebin and Google Storage to host content for their operations.[8]

G0117 Fox Kitten

Fox Kitten has used Amazon Web Services to host C2.[9]

G0047 Gamaredon Group

Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.[10]

S0601 Hildegard

Hildegard has downloaded scripts from GitHub.[11]

G0100 Inception

Inception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe.[12][13]

S0198 NETWIRE

NETWIRE has used web services including Paste.ee to host payloads.[14]

S0508 Ngrok

Ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.[15]

G0106 Rocke

Rocke has used Pastebin, Gitee, and GitLab for Command and Control.[16][17]

S0546 SharpStage

SharpStage has used a legitimate web service for evading detection.[6]

S0589 Sibot

Sibot has used a legitimate compromised website to download DLLs to the victim's machine.[18]

G0010 Turla

Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.[4][19]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

M1021 Restrict Web-Based Content

Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services.

Detection

Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.[20]

References