Web Service

From enterprise
Jump to: navigation, search
Web Service
Technique
ID T1102
Tactic Command and Control, Defense Evasion
Platform Linux, Windows, macOS
Permissions Required User
Data Sources Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Requires Network Yes
Defense Bypassed Binary Analysis, Log analysis, Firewall
Contributors Anastasios Pingios

Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.

These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

Examples

  • APT37 malware has used AOL Instant Messenger as well as pCloud and Dropbox APIs for C2.1
  • BRONZE BUTLER's MSGET downloader uses a dead drop resolver to access malicious payloads.2
  • Carbanak has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.3
  • Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.4
  • Magic Hound malware can use a SOAP Web service to communicate with its C2 server.5
  • Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.6
  • RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names.7
  • BADNEWS can use multiple C2 channels, including RSS feeds, Github, forums, and blogs.8 BADNEWS also collects C2 information via a dead drop resolver.9
  • BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server. It has also obfuscated its C2 traffic as normal traffic to sites such as Github.104
  • The CALENDAR malware communicates through the use of events in Google Calendar.11
  • One variant of CloudDuke uses a Microsoft OneDrive account to exchange commands and stolen data with its operators.12
  • CozyCar uses Twitter as a backup C2 channel to Twitter accounts specified in its configuration file.13
  • is capable of leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex for C2.1
  • GLOOXMAIL communicates to servers operated by Google using the Jabber/XMPP protocol.1415
  • The "tDiscoverer" variant of HAMMERTOSS establishes a C2 channel by downloading resources from Web services like Twitter and GitHub. HAMMERTOSS binaries contain an algorithm that generates a different Twitter handle for the malware to check for instructions every day.16
  • can use public cloud-based storage providers for command and control.1
  • LOWBALL uses the Dropbox cloud storage service for command and control.17
  • Some MiniDuke components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds.1218
  • OnionDuke uses Twitter as a backup C2 method. It also has a module designed to post messages to the Russian VKontakte social media site.12
  • Orz has used Technet and Pastebin web pages for command and control.19
  • POORAIM has used AOL Instant Messenger for C2.1
  • PlugX uses Pastebin to store its real C2 addresses.20
  • SLOWDRIFT uses cloud based services for C2.1

Mitigation

Firewalls and Web proxies can be used to enforce external network communication policy. It may be difficult for an organization to block particular services because so many of them are commonly used during the course of business.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol or encoded commands used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.21

Detection

Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.21

References