Uncommonly Used Port
|Uncommonly Used Port|
|Tactic||Command and Control|
|Platform||Linux, macOS, Windows|
|Data Sources||Netflow/Enclave netflow, Process use of network, Process monitoring|
Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.
- An APT3 downloader establishes SOCKS5 connections to two separate IP addresses over TCP port 1913 and TCP port 81.1
- Group5 C2 servers communicated with malware over TCP 8081, 8282, and 8083.2
- Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes uncommonly used ports such as 995, 1816, 465, 1521, 3306, and many others.3
- Magic Hound malware has communicated with its C2 server over ports 4443 and 3543.4
- opens a backdoor on TCP ports 6868 and 7777.5
- MobileOrder communicates with its C2 server over TCP port 3728.6
- POWERSTATS has used ports 8060 and 8888 for C2.7
- RedLeaves can use port 995 for C2.8
- A Remsec module has a default C2 port of 13000.9
- Volgmer has communicated to its C2 server over port 8088.10
Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports.
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.11
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.11
- Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
- Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
- Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
- Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.