Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary’s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.
The most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the
Proxy API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.
Exobot can open a SOCKS proxy connection through the compromised device.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component|
|DS0029||Network Traffic||Network Traffic Flow|
Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.