Encrypted Channel: Asymmetric Cryptography

ID Name
T1573.001 Symmetric Cryptography
T1573.002 Asymmetric Cryptography

Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.

For efficiency, may protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as Asymmetric Cryptography.

ID: T1573.002
Sub-technique of:  T1573
Tactic: Command And Control
Platforms: Linux, Windows, macOS
Data Sources: Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Version: 1.0
Created: 16 March 2020
Last Modified: 30 March 2020

Procedure Examples

Name Description
adbupd

adbupd contains a copy of the OpenSSL library to encrypt C2 traffic.[1]

ADVSTORESHELL

A variant of ADVSTORESHELL encrypts some C2 with RSA.[2]

Attor

Attor's Blowfish key is encrypted with a public RSA key.[3]

BISCUIT

BISCUIT uses SSL for encrypting C2 communications.[4]

CHOPSTICK

CHOPSTICK encrypts C2 communications with TLS.[5]

Cobalt Group

Cobalt Group has used the Plink utility to create SSH tunnels.[6]

ComRAT

ComRAT can use SSL/TLS encryption for its HTTP-based C2 channel. ComRAT has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.[7]

Dridex

Dridex has encrypted traffic with RSA.[8]

Emotet

Emotet is known to use RSA keys for encrypting C2 traffic. [9]

Empire

Empire can use TLS to encrypt its C2 channel.[10]

FIN6

FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[11]

FIN8

FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.[12]

Gazer

Gazer uses custom encryption for C2 that uses RSA.[13][14]

GreyEnergy

GreyEnergy encrypts communications using RSA-2048.[15]

Hi-Zor

Hi-Zor encrypts C2 traffic with TLS.[16]

IcedID

IcedID has used SSL and TLS in communications with C2.[17][18]

Koadic

Koadic can use SSL and TLS for communications.[19]

Machete

Machete has used TLS-encrypted FTP to exfiltrate data.[20]

Metamorfo

Metamorfo's C2 communication has been encrypted using OpenSSL.[21]

OilRig

OilRig used the Plink utility and other tools to create tunnels to C2 servers.[22]

PoetRAT

PoetRAT used TLS to encrypt command and control (C2) communications.[23]

POSHSPY

POSHSPY encrypts C2 traffic with AES and RSA.[24]

POWERSTATS

POWERSTATS has encrypted C2 traffic with RSA.[25]

Pupy

Pupy's default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES.[26]

REvil

REvil has encrypted C2 communications with the ECIES algorithm.[27]

ServHelper

ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP.[28]

StrongPity

StrongPity has encrypted C2 traffic using SSL/TLS.[29]

Sykipot

Sykipot uses SSL for encrypting C2 communications.[30]

Tor

Tor encapsulates traffic in multiple layers of encryption, using TLS by default.[31]

Trojan.Karagany

Trojan.Karagany can secure C2 communications with SSL and TLS.[32]

Tropic Trooper

Tropic Trooper has used SSL to connect to C2 servers.[33][34]

Volgmer

Some Volgmer variants use SSL to encrypt C2 communications.[35]

WannaCry

WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit.[36]

WellMail

WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.[37][38]

WellMess

WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates.[39][40][41][38]

XTunnel

XTunnel uses SSL/TLS and RC4 to encrypt traffic.[42][5]

Zebrocy

Zebrocy uses SSL and AES ECB for encrypting C2 communications.[43][44]

Mitigations

Mitigation Description
Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

SSL/TLS Inspection

SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.

Detection

SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.[45] SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.[46]

In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[47]

References

  1. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  2. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  3. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  4. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  5. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  6. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  7. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  8. Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.
  9. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  10. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  11. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  12. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  13. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  14. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  15. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  16. Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016.
  17. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  18. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  19. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  20. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  21. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  22. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  23. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  24. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  1. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  2. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  3. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  4. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  5. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  6. Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014.
  7. Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017.
  8. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  9. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
  10. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  11. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  12. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
  13. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  14. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  15. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  16. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
  17. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  18. Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
  19. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  20. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  21. Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016.
  22. Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016.
  23. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.