Standard Application Layer Protocol

Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.

In the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. Google reportedly responds to reports of abuse by blocking access to GCM.[1]

ID: T1437
Tactic Type: Post-Adversary Device Access
Tactic: Command And Control, Exfiltration
Platform: Android, iOS
MTC ID: APP-29
Version: 1.1

Procedure Examples

Name Description
Android/Chuli.A Android/Chuli.A used HTTP uploads to a URL as a command and control mechanism. [2]
Dark Caracal Dark Caracal controls implants using standard HTTP communication. [6]
Exodus Exodus One checks in with the command and control server using HTTP POST requests. [8]
Gustuff Gustuff communicates with the command and control server using HTTP requests. [9]
Pallas Pallas exfiltrates data using HTTP. [6]
RedDrop RedDrop uses standard HTTP for communication and exfiltration. [5]
Riltok Riltok communicates with the command and control server using HTTP requests. [7]
Rotexy Rotexy can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging. [10]
RuMMS RuMMS uses HTTP for command and control. [3]
Skygofree Skygofree can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions. [4]
Trojan-SMS.AndroidOS.Agent.ao Trojan-SMS.AndroidOS.Agent.ao uses Google Cloud Messaging (GCM) for command and control. [1]
Trojan-SMS.AndroidOS.FakeInst.a Trojan-SMS.AndroidOS.FakeInst.a uses Google Cloud Messaging (GCM) for command and control. [1]
Trojan-SMS.AndroidOS.OpFake.a Trojan-SMS.AndroidOS.OpFake.a uses Google Cloud Messaging (GCM) for command and control. [1]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

References