Web Service: Dead Drop Resolver

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed).

ID: T1481.001
Sub-technique of:  T1481
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 1.2
Created: 06 April 2022
Last Modified: 14 August 2023

Procedure Examples

ID Name Description
S0310 ANDROIDOS_ANSERVER.A

ANDROIDOS_ANSERVER.A uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.[1]

S0422 Anubis

Anubis can retrieve the C2 address from Twitter and Telegram.[2][3]

S0539 Red Alert 2.0

Red Alert 2.0 can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.[4]

S0318 XLoader for Android

XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.[5]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting Network Communication

Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.

DS0029 Network Traffic Network Connection Creation

Many properly configured firewalls may naturally block command and control traffic.

References