Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

ID: T1646
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Exfiltration
Platforms: Android, iOS
MTC ID: APP-29
Version: 1.1
Created: 01 April 2022
Last Modified: 14 August 2023

Procedure Examples

ID Name Description
S1061 AbstractEmu

AbstractEmu can send large amounts of device data over its C2 channel, including the device’s manufacturer, model, version and serial number, telephone number, and IP address.[1]

S1079 BOULDSPY

BOULDSPY has exfiltrated cached data from infected devices.[2]

S1083 Chameleon

Chameleon can send stolen data over HTTP.[3]

S1054 Drinik

Drinik can send stolen data back to the C2 server.[4]

S0507 eSurv

eSurv has exfiltrated data using HTTP PUT requests.[5]

S1080 Fakecalls

Fakecalls can send exfiltrated data back to the C2 server.[6]

S1067 FluBot

FluBot can send contact lists to its C2 server.[7]

S1093 FlyTrap

FlyTrap can use HTTP to exfiltrate data to the C2 server.[8]

S0551 GoldenEagle

GoldenEagle has exfiltrated data via both SMTP and HTTP.[9]

S0421 GolfSpy

GolfSpy exfiltrates data using HTTP POST requests.[10]

S1077 Hornbill

Hornbill can exfiltrate data back to the C2 server using HTTP.[11]

C0016 Operation Dust Storm

During Operation Dust Storm, the threat actors used Android backdoors that would send information and data from a victim's mobile device to the C2 servers.[12]

S0399 Pallas

Pallas exfiltrates data using HTTP.[13]

S0326 RedDrop

RedDrop uses standard HTTP for exfiltration.[14]

S1055 SharkBot

SharkBot can exfiltrate captured user credentials and event logs back to the C2 server. [15]

S1082 Sunbird

Sunbird can exfiltrate compressed ZIP files containing gathered info to C2 infrastructure.[11]

S0424 Triada

Triada utilized HTTP to exfiltrate data through POST requests to the command and control server.[16]

S0418 ViceLeaker

ViceLeaker uses HTTP data exfiltration.[17][18]

S0490 XLoader for iOS

XLoader for iOS has exfiltrated data using HTTP requests.[19]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Exfiltration Over C2 Channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References

  1. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.
  2. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.
  3. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.
  4. Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.
  5. A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.
  6. Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.
  7. Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.
  8. A. Yaswant. (2021, August 9). FlyTrap Android Malware Compromises Thousands of Facebook Accounts. Retrieved September 28, 2023.
  9. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  10. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.