Register to stream ATT&CKcon 2.0 October 29-30

Multi-hop Proxy

To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.

ID: T1188
Tactic: Command And Control
Platform: Linux, macOS, Windows
Data Sources: Network protocol analysis, Netflow/Enclave netflow
Requires Network:  Yes
Version: 1.0

Procedure Examples

Name Description
APT29 A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network. [8]
Dok Dok downloads and installs Tor via homebrew. [2]
FIN4 FIN4 has used Tor to log in to victims' email accounts. [9]
GreyEnergy GreyEnergy has used Tor relays for Command and Control servers. [3]
Keydnap Keydnap uses a copy of tor2web proxy for HTTPS communications. [4]
MacSpy MacSpy uses Tor for command and control. [2]
Tor Traffic traversing the Tor network will be forwarded to multiple nodes before exiting the Tor network and continuing on to its intended destination. [1]
Ursnif Ursnif has used Tor for C2. [6] [7]
WannaCry WannaCry uses Tor for command and control traffic. [5]

Mitigations

Mitigation Description
Filter Network Traffic Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network black and white lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting.

Detection

When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique.

References