Encrypted Channel: Symmetric Cryptography

ID Name
T1573.001 Symmetric Cryptography
T1573.002 Asymmetric Cryptography

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.

ID: T1573.001
Sub-technique of:  T1573
Tactic: Command And Control
Platforms: Linux, Windows, macOS
Data Sources: Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Version: 1.0
Created: 16 March 2020
Last Modified: 26 March 2020

Procedure Examples

Name Description
3PARA RAT

3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS. 3PARA RAT will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS if the DES decoding fails[8]

4H RAT

4H RAT obfuscates C2 communication using a 1-byte XOR with the key 0xBE.[8]

ADVSTORESHELL

A variant of ADVSTORESHELL encrypts some C2 with 3DES.[32]

APT28

APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.[88]

APT33

APT33 has used AES for encryption of command and control traffic.[64]

Attor

Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key.[80]

Azorult

Azorult can encrypt C2 traffic using XOR.[50][51]

BADCALL

BADCALL encrypts C2 traffic using an XOR/ADD cipher.[52]

BADNEWS

BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.[19][20]

BBSRAT

BBSRAT uses a custom encryption algorithm on data sent back to the C2 server over HTTP.[35]

Bisonal

Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.[36]

BRONZE BUTLER

BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.[5]

CallMe

CallMe uses AES to encrypt C2 traffic.[7]

Carbanak

Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.[12][13]

Cardinal RAT

Cardinal RAT uses a secret key with a series of XOR and addition operations to encrypt C2 traffic.[53]

Chaos

Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.[17]

ChChes

ChChes can encrypt C2 traffic with AES or RC4.[46][47]

CHOPSTICK

CHOPSTICK encrypts C2 communications with RC4.[9]

Comnie

Comnie encrypts command and control communications with RC4.[29]

CORESHELL

CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.[33]

CosmicDuke

CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.[24]

Daserf

Daserf uses RC4 encryption to obfuscate HTTP traffic.[5]

Derusbi

Derusbi obfuscates C2 traffic with variable 4-byte XOR keys.[11]

Dipsind

Dipsind encrypts C2 data with AES256 in ECB mode.[26]

down_new

down_new has the ability to AES encrypt C2 communications.[82]

Downdelph

Downdelph uses RC4 to encrypt C2 responses.[60]

Dridex

Dridex has encrypted traffic with RC4.[67]

Duqu

The Duqu command and control protocol's data stream can be encrypted with AES-CBC.[61]

Ebury

Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.[65]

Elise

Elise encrypts exfiltrated data with RC4.[34]

Emissary

The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.[56]

Epic

Epic encrypts commands from the C2 server using a hardcoded key.[49]

FakeM

The original variant of FakeM encrypts C2 traffic using a custom encryption cipher that uses an XOR key of "YHCRA" and bit rotation between each XOR operation. Some variants of FakeM use RC4 to encrypt C2 traffic.[7]

FALLCHILL

FALLCHILL encrypts C2 data with RC4 encryption.[18]

Felismus

Some Felismus samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys.[55]

FlawedAmmyy

FlawedAmmyy has used SEAL encryption during the initial C2 handshake.[66]

Frankenstein

Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.[90]

Gazer

Gazer uses custom encryption for C2 that uses 3DES.[72][73]

gh0st RAT

gh0st RAT uses RC4 and XOR to encrypt C2 traffic.[44]

GreyEnergy

GreyEnergy encrypts communications using AES256.[45]

H1N1

H1N1 encrypts C2 traffic using an RC4 key.[3]

HAMMERTOSS

Before being appended to image files, HAMMERTOSS commands are encrypted with a key composed of both a hard-coded value and a string contained on that day's tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day's tweet, and the image file containing the command.[28]

Helminth

Helminth encrypts data sent to its C2 server over HTTP with RC4.[39]

Hi-Zor

Hi-Zor encrypts C2 traffic with a double XOR using two distinct single-byte keys.[74]

HiddenWasp

HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication.[68]

Hikit

Hikit performs XOR encryption.[31]

HotCroissant

HotCroissant has compressed network communications and encrypted them with a custom stream cipher.[76][77]

httpclient

httpclient encrypts C2 content with XOR using a single byte, 0x12.[8]

Hydraq

Hydraq C2 traffic is encrypted using bitwise NOT and XOR operations.[27]

Inception

Inception has encrypted network communications with AES.[89]

InvisiMole

InvisiMole uses variations of a simple XOR encryption routine for C&C communications.[57]

KEYMARBLE

KEYMARBLE uses a customized XOR algorithm to encrypt C2 communications.[41]

Komplex

The Komplex C2 channel uses an 11-byte XOR algorithm to hide data.[25]

Lazarus Group

Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads.[84][85][86][87]

LightNeuron

LightNeuron uses AES to encrypt C2 traffic.[69]

Lurid

Lurid performs XOR encryption.[4]

MoonWind

MoonWind encrypts C2 traffic using RC4 with a static key.[10]

More_eggs

More_eggs has used an RC4-based encryption method for its C2 communications.[70]

Mosquito

Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.[58]

NanoCore

NanoCore uses DES to encrypt the C2 traffic.[43]

NDiskMonitor

NDiskMonitor uses AES to encrypt certain information sent over its C2 channel.[20]

NETEAGLE

NETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key "ScoutEagle."[15]

Okrum

Okrum uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase. [81]

PLAINTEE

PLAINTEE encodes C2 beacons using XOR.[42]

PLEAD

PLEAD has used RC4 encryption to download modules.[78]

PoisonIvy

PoisonIvy uses the Camellia cipher to encrypt communications.[23]

POWERTON

POWERTON has used AES for encrypting C2 traffic.[64]

Prikormka

Prikormka encrypts some C2 traffic with the Blowfish cipher.[48]

QuasarRAT

QuasarRAT uses AES to encrypt network communication.[1][2]

RedLeaves

RedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.[38]

Rifdoor

Rifdoor has encrypted command and control (C2) communications with a stream cipher.[76]

RIPTIDE

APT12 has used the RIPTIDE RAT, which communicates over HTTP with a payload encrypted with RC4.[6]

RTM

RTM encrypts C2 traffic with a custom RC4 variant.[30]

Sakula

Sakula encodes C2 traffic with single-byte XOR keys.[37]

SeaDuke

SeaDuke C2 traffic has been encrypted with RC4 and AES.[21][22]

SNUGRIDE

SNUGRIDE encrypts C2 traffic using AES with a static key.[14]

Stealth Falcon

Stealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key.[83]

Sys10

Sys10 uses an XOR 0x1 loop to encrypt its C2 domain.[59]

Taidoor

Taidoor uses RC4 to encrypt the message body of HTTP content.[71]

TrickBot

TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.[16]

TSCookie

TSCookie has encrypted network communications with RC4.[79]

UPPERCUT

Some versions of UPPERCUT have used the hard-coded string "this is the encrypt key" for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.[54]

Volgmer

Volgmer uses a simple XOR cipher to encrypt traffic and files.[40]

Winnti for Linux

Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2).[75]

ZeroT

ZeroT has used RC4 to encrypt C2 traffic.[62][63]

Mitigations

Mitigation Description
Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

Detection

With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.

In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[91]

References

  1. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  2. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  3. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  4. Villeneuve, N., Sancho, D. (2011). THE “LURID” DOWNLOADER. Retrieved November 12, 2014.
  5. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  6. Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
  7. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  8. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  9. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  10. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  11. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  12. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  13. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  14. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  15. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  16. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  17. Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.
  18. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  19. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  20. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  21. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  22. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  23. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
  24. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  25. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  26. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  27. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  28. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  29. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  30. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  31. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  32. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  33. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  34. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  35. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  36. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  37. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  38. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  39. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  40. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  41. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  42. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  43. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  44. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  45. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  46. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  1. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  2. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  3. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  4. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  5. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  6. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  7. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  8. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  9. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  10. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  11. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  12. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  13. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  14. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  15. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  16. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  17. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  18. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  19. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  20. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  21. Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.
  22. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  23. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  24. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  25. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  26. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  27. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  28. Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016.
  29. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  30. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  31. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.
  32. Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  33. Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  34. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  35. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  36. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  37. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  38. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  39. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  40. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  41. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  42. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  43. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  44. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  45. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.