Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.
These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
ANDROIDOS_ANSERVER.A uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.
|S0539||Red Alert 2.0|
|S0318||XLoader for Android|
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
- Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.
- M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
- K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.
- R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
- J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.
- Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.
- ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.
- Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.