Standard Application Layer Protocol

Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.

In the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. Google reportedly responds to reports of abuse by blocking access to GCM.[1]

ID: T1437
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Command And Control, Exfiltration
Platforms: Android, iOS
MTC ID: APP-29
Version: 1.1
Created: 25 October 2017
Last Modified: 03 February 2019

Procedure Examples

Name Description
Android/Chuli.A

Android/Chuli.A used HTTP uploads to a URL as a command and control mechanism.[2]

Bread

Bread communicates with the C2 server using HTTP requests.[17]

Cerberus

Cerberus communicates with the C2 server using HTTP.[20]

Concipit1248

Concipit1248 communicates with the C2 server using HTTP requests.[15]

Corona Updates

Corona Updates communicates with the C2 server using HTTP requests and has exfiltrated data using FTP.[15]

Dark Caracal

Dark Caracal controls implants using standard HTTP communication.[6]

DEFENSOR ID

DEFENSOR ID has used Firebase Cloud Messaging for C2.[21]

EventBot

EventBot communicates with the C2 using HTTP requests.[19]

Exodus

Exodus One checks in with the command and control server using HTTP POST requests.[9]

GolfSpy

GolfSpy exfiltrates data using HTTP POST requests.[14]

Gustuff

Gustuff communicates with the command and control server using HTTP requests.[10]

INSOMNIA

INSOMNIA communicates with the C2 server using HTTPS requests.[18]

Pallas

Pallas exfiltrates data using HTTP.[6]

RedDrop

RedDrop uses standard HTTP for communication and exfiltration.[5]

Riltok

Riltok communicates with the command and control server using HTTP requests.[8]

Rotexy

Rotexy can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.[11]

RuMMS

RuMMS uses HTTP for command and control.[3]

Skygofree

Skygofree can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.[4]

Triada

Triada utilized HTTP to exfiltrate data through POST requests to the command and control server.[7]

TrickMo

TrickMo communicates with the C2 by sending JSON objects over unencrypted HTTP requests.[16]

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.Agent.ao uses Google Cloud Messaging (GCM) for command and control.[1]

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.FakeInst.a uses Google Cloud Messaging (GCM) for command and control.[1]

Trojan-SMS.AndroidOS.OpFake.a

Trojan-SMS.AndroidOS.OpFake.a uses Google Cloud Messaging (GCM) for command and control.[1]

ViceLeaker

ViceLeaker uses HTTP for C2 communication and data exfiltration.[12][13]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

References