Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.
The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.
| ID | Name | Description |
|---|---|---|
| G0022 | APT3 |
An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.[1] |
| G0096 | APT41 |
APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.[2] |
| S0031 | BACKSPACE |
BACKSPACE attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs "louder" interactions with the malware.[3] |
| S0534 | Bazar |
The Bazar loader is used to download and execute the Bazar backdoor.[4][5] |
| S0069 | BLACKCOFFEE |
BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines.[6] |
| S0220 | Chaos |
After initial compromise, Chaos will download a second stage to establish a more permanent presence on the affected system.[7] |
| S1160 | Latrodectus |
Latrodectus has used a two-tiered C2 configuration with tier one nodes connecting to the victim and tier two nodes connecting to backend infrastructure.[8] |
| G0032 | Lazarus Group |
Lazarus Group has used multi-stage malware components that inject later stages into separate processes.[9] |
| S1141 | LunarWeb |
LunarWeb can use one C2 URL for first contact and to upload information about the host computer and two additional C2 URLs for getting commands.[10] |
| G0069 | MuddyWater |
MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.[11] |
| S1086 | Snip3 |
Snip3 can download and execute additional payloads and modules over separate communication channels.[12][13] |
| S0022 | Uroburos |
Individual Uroburos implants can use multiple communication channels based on one of four available modes of operation.[14] |
| S0476 | Valak |
Valak can download additional modules and malware capable of using separate C2 channels.[15] |
| ID | Mitigation | Description |
|---|---|---|
| M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections that are sent or received by untrusted hosts. |
| Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |