Standard Cryptographic Protocol

Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.

ID: T1521
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Command And Control
Platforms: Android, iOS
Version: 1.0
Created: 01 October 2019
Last Modified: 01 October 2019

Procedure Examples

Name Description
eSurv

eSurv’s Android version has used public key encryption and certificate pinning for C2 communication.[1]

EventBot

EventBot has encrypted base64-encoded payload data using RC4 and Curve25519.[2]

Rotexy

Rotexy encrypts JSON HTTP payloads with AES.[3]

Twitoor

Twitoor encrypts its C2 communication.[4]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is undetectable to the user.

References