The Evolution of C2 Communication: Customized TCP Protocols

Introduction

Command-and-control (C2, C&C, or CNC) servers are used to remotely handle, management, and talk with compromised programs inside a community. They permit attackers to execute instructions, exfiltrate and/or encrypt information for ransom, and coordinate different malicious actions. The effectiveness and attain of malware are considerably hindered, if not altogether eradicated, with out C2 communication. In response to some business estimates, 60% to 70% of malware variants depend on C2 servers for communication. This statistic alone ought to give us an concept of how important it’s for safety groups, and their instruments, to have the ability to block and hunt for C2 site visitors.

HTTP and HTTPs have historically been the go-to protocols for C2 communications over TCP as a result of almost all organizations depend on net site visitors for respectable functions. The truth that HTTP/S site visitors sometimes makes use of frequent ports (80 for HTTP and 443 for HTTPS), which are sometimes permitted by means of firewalls, will increase the probabilities of bypassing perimeter safety.

More and more refined detection strategies are serving to us to extra simply determine well-known C2 communication strategies. Unsurprisingly, attackers have tailored in response to our advances. A number of the instruments of their up to date arsenal embrace impersonating respectable protocols, in addition to utilizing customized protocols, non-standard protocol/port pairings, and non-application layer protocols. One such method our Malware Patrol crew has seen is the transfer towards the usage of non-HTTP/S communication over TCP.

On this weblog submit, we’ll focus particularly on this development seen in our information by exploring the implications for menace detection & response and offering mitigation methods. For extra basic details about C2s, take a look at our earlier weblog submit and MITRE ATT&CK’s Command and Management tactic subject.
 

Command-and-Management Channels: Many, Many TCP Choices

Attackers’ ingenuity has caused a formidable number of C2 communication ways. Their use varies relying on the capabilities of the malware being deployed, in addition to the sophistication of the menace actor, their particular objectives, the surroundings they’re focusing on, and the necessity to keep away from detection.

Beneath is an summary of the most typical strategies to determine C2 channels. At any time when relevant, we’ve got included particulars about how TCP may be used to facilitate communication.

Most Used Protocols

1. HTTP/HTTPS:
   • HTTP/HTTPS are among the many commonest protocols utilized by C2 servers.
   • HTTPS provides encryption, making it tougher to detect malicious exercise with out decryption and deep packet inspection.
   • TCP-related: HTTP/HTTPS site visitors is transmitted over the Transmission Management Protocol (TCP), which ensures dependable supply of knowledge packets between the shopper (contaminated host) and the server (C2 server). TCP’s connection-oriented nature permits for correct sequencing of the communication stream, making it appropriate for C2 communications that require dependable information transmission.
2. DNS:
   • DNS (Area Title System) is usually used for C2 communication as a result of DNS queries and responses are sometimes allowed by firewalls and proxies. Menace actors can encode instructions and information in DNS queries or responses, utilizing methods similar to DNS tunneling.
   • TCP-related: Whereas DNS queries sometimes use UDP (Consumer Datagram Protocol) port 53 for fast and stateless connections, DNS also can function over TCP, particularly for bigger queries and zone transfers. When DNS over TCP is used for C2 communication, it advantages from TCP’s reliability however may be simpler to detect because of the much less frequent use of DNS over TCP.
3. IRC (Web Relay Chat):
   • Though much less frequent now, IRC was traditionally fashionable for C2 communication, particularly with early botnets. IRC’s simplicity and ease of use made it a well-liked alternative, however its predictable site visitors patterns have led to a decline in its use as defenders turned more proficient at detecting it.
   • TCP-related: IRC operates over TCP port 6667, offering a dependable connection for the C2 server to ship and obtain instructions and information. The TCP connection ensures that messages are delivered so as, which is important for sustaining the session’s integrity in the course of the C2 communication.
4. FTP (File Switch Protocol):
   • FTP is often used to determine a C2 channel, particularly in older or much less refined malware. It’s typically employed for importing stolen information from the contaminated host to the C2 server.
   • TCP-related: FTP makes use of TCP for establishing connections and transferring information. It sometimes operates over TCP ports 20 and 21. The dependable information switch that TCP supplies is important for the profitable add and obtain of information between the contaminated host and the C2 server.
5. E-mail Protocols (SMTP/IMAP/POP3):
   • E-mail is utilized by some C2 frameworks, the place instructions are delivered through e-mail messages, and the contaminated host sends its responses again through SMTP, IMAP, or POP3.
   • TCP-related: E-mail protocols similar to SMTP, IMAP, and POP3 depend on TCP for dependable message supply. TCP’s connection-oriented nature ensures that e-mail messages, together with these carrying C2 instructions, are transmitted reliably and so as.

Extra Communication Strategies

1. Social Media Platforms:
   • C2 site visitors has been noticed over social media platforms like Twitter, Fb, and LinkedIn. Malware can embed instructions in social media posts, hashtags, or feedback, and the contaminated host can test these posts for directions.
2. Steganography:
   • Steganography includes hiding instructions or information inside photographs, movies, or different information, that are then transferred through customary protocols (like HTTP or HTTPS). This technique makes detection considerably tougher because the payload is hidden inside legitimate-looking content material.
3. Peer-to-Peer (P2P) Networks:
   • P2P networks enable contaminated hosts to speak with one another or with the C2 server with out counting on a centralized server. This decentralization makes takedown efforts extra complicated and resilient to single factors of failure.
   • TCP-related: P2P networks typically depend on TCP to determine communication channels between nodes. TCP’s capability to offer error-checking and circulate management is useful for sustaining steady connections in a decentralized P2P C2 infrastructure.
4. Tor and Different Anonymity Networks:
   • Tor and comparable anonymity networks present a layer of obfuscation for C2 site visitors, making it tougher to hint the supply or vacation spot of the communication.
   • TCP-related: Tor operates over TCP, offering a dependable and encrypted communication channel that obfuscates the supply and vacation spot of the C2 site visitors. TCP’s position is essential in making certain the integrity of the hidden service connections throughout the Tor community.
5. Cloud Companies:
   • Cloud providers like Google Drive, Dropbox, and different respectable file-sharing providers have been exploited for C2 functions. Instructions and exfiltrated information might be saved or transferred by means of these providers, mixing in with regular, respectable use.
6. Customized Protocols:
   • Superior menace actors typically develop customized protocols particularly designed for his or her malware. These protocols might be tailor-made to evade detection by conventional safety instruments and sometimes use encryption or obfuscation methods to additional complicate evaluation.
   • TCP-related: Some customized protocols developed by superior menace actors could also be constructed on high of TCP to leverage its reliability and connection-oriented options. This enables for steady and reliable C2 communication whereas evading detection by conventional safety instruments.
7. Beaconing:
   • Beaconing is a technique the place an contaminated system periodically sends out alerts (typically very brief and troublesome to detect) to a C2 server to test in and await additional directions. These beacons might be transmitted through frequent protocols like HTTP/HTTPS, DNS, and even customized protocols.
   • TCP-related: Beaconing typically makes use of TCP-based protocols like HTTP/HTTPS or DNS over TCP to make sure that the brief, periodic alerts despatched by the contaminated system attain the C2 server reliably, regardless of their low visibility.

Rising Developments in C2 Infrastructure

Rising tendencies embrace the usage of cloud-based serverless architectures by attackers for C2 infrastructure. This technique enhances scalability and complicates the attribution of assaults to particular menace actors. Moreover, some superior menace teams are experimenting with blockchain expertise for C2 communication. Because of its decentralized nature, it helps attackers obtain better resilience and anonymity.
 

The Shift to TCP

Using TCP for C2 communications is pushed by a number of elements. It’s typically chosen resulting from its decrease visibility and detection dangers. Attackers exploit TCP’s flexibility to create customized protocols or mimic benign service
s like SSH or FTP, making it tougher for conventional safety mechanisms to detect malicious exercise. Moreover, utilizing uncooked TCP helps attackers bypass net proxies that sometimes monitor HTTP/S site visitors for suspicious domains or payloads. TCP additionally helps the implementation of customized, typically encrypted, communication protocols, which additional obfuscate the attackers’ actions and complicate defenders’ efforts to research and decode the site visitors. And final however not least, TCP’s inherent reliability, with error-checking and restoration options, ensures persistent and steady connections, even over unreliable networks.

Actual World Examples

It’s simple to talk in generalities about the right way to enhance safety, however seeing actual world examples brings a significantly better understanding. They provide specifics that may be utilized to safety efforts and instruments. To this finish, we discovered assets associated to how some malware households are making use of TCP, amongst different behaviors.

APT Teams

A number of APT teams have been noticed utilizing TCP-based C2 communications. For example:

1. APT29 (Cozy Bear)
   • Associated Malware Households: WellMess, WellMail
   • C2 Communication: Each WellMess and WellMail are identified to make use of customized TCP protocols to speak with C2 servers. WellMess can use HTTP, HTTPS, and DNS for its C2 communication, and it helps mutual TLS (mTLS) for safe communications, which is atypical for a lot of malware strains. The mTLS implementation requires each the server and the shopper to have certificates signed by the identical Certificates Authority, making the site visitors troublesome to detect. Moreover, WellMail has been noticed utilizing TCP port 25 (sometimes related to SMTP) for C2 communication, although it doesn’t use the SMTP protocol, making it a non-standard use of this port, which might help evade detection.
2. APT41 (Winnti Group)
   • Malware Household: ShadowPad
   • C2 Communication: ShadowPad is a modular backdoor employed by APT41 that makes use of customized TCP protocols for C2 communication. This malware can function throughout a number of protocols, together with TCP, HTTP, HTTPS, UDP, and DNS, permitting it to mix in with regular community site visitors and evade detection. The pliability and modularity of ShadowPad make it a potent software in APT41’s arsenal, enabling the group to carry out numerous operations similar to information exfiltration and lateral motion inside compromised networks.
3. APT34 (OilRig)
   • Malware Household: Karkoff
   • C2 Communication: Karkoff, a backdoor utilized by APT34, employs customized TCP protocols to speak with its C2 servers. The malware’s use of those protocols, typically paired with encryption, permits it to function beneath the radar of many network-based detection programs, complicating efforts to intercept or analyze the C2 site visitors.

Malware Analyses: A Deep Dive

The next linked articles every supply a radical evaluation of the malware, together with its C2 communication.

– DBatLoader
– Gafgyt
– NanoCore RAT
– njRAT
– QuasarRAT
– Risepro
– Socks5systemz
– SystemBC
– Tsunami (Muhstik)
 

What the Knowledge Says

Malware Patrol has been providing a C2 servers addresses information feed for properly over a decade. This prolonged historical past offers us a singular and authoritative perspective on the panorama of C2 communications. For this submit, we used our information from August 2024, in addition to some historic information, to make observations in regards to the present panorama.

TCP is by far probably the most prevalent protocol getting used.

The commonest ports are the next:

To study extra about these ports, together with the providers and malware that use them, the assets offered by SANS ISC and SpeedGuide.web are very informative.

We commonly resolve DNS for command-and-control servers; the ensuing IPs are utilized in our Malicious IPs feed. In August 2024, the next IPs have been discovered to be internet hosting a number of (75+) C2s:

For a ‘huge image’ view of C2 protocol tendencies, we checked out Malware Patrol’s information from the final decade (charted under). This visible illustration clearly demonstrates the steadily growing use of the TCP protocol, together with a lower in the usage of HTTP/S. UDP use stays minimal.

 

Additional breaking down the info, we see that most of the most energetic and well-known malware households are predominantly utilizing TCP, with only a few exceptions.

 

For the next households, we’ve got solely TCP-based C2 server addresses as of August 2024:

 

Monitoring and Detecting TCP-Primarily based C2 Communications

Detecting TCP-based C2 site visitors requires some shifts in monitoring methods – however to begin with, and as all the time, the foundational fundamentals of safety must be properly applied. Then safety groups should improve their visibility into community site visitors and apply extra refined evaluation methods to determine potential threats. Listed here are some methods to think about:

1. Broaden Community Visitors Monitoring: Be sure that all community site visitors, not simply HTTP/HTTPS, is topic to scrutiny. This consists of monitoring for uncommon exercise on non-standard ports and listening to any TCP connections that don’t align with regular community habits.
2. Community Segmentation: Implement community segmentation to restrict the lateral motion of attackers throughout the community. By segmenting important belongings and imposing strict entry controls, you possibly can cut back the influence of a compromised system establishing a TCP-based C2 channel.
3. Strict Egress Filtering: Apply egress filtering on firewalls to limit outbound site visitors. Solely enable mandatory TCP connections and limit connections to identified IP addresses and ports. This will forestall compromised programs from establishing C2 connections to exterior servers.
4. Behavioral Evaluation: Implement community behavioral evaluation (NBA) instruments to detect anomalies in TCP site visitors. These instruments can determine uncommon patterns, similar to long-duration TCP connections, sudden information switch volumes, or irregular communication intervals, which can point out C2 exercise.
5. Deep Packet Inspection (DPI): Make the most of DPI to examine the contents of TCP packets. Though attackers might use encryption or obfuscation, DPI might help determine suspicious payloads or metadata inside TCP streams that deviate from identified respectable site visitors.
6. Endpoint Detection and Response (EDR): EDR options can present visibility into the processes and connections initiated on endpoints. Correlating endpoint exercise with community site visitors might help determine suspicious TCP connections originating from compromised units.
7. Anomaly Detection with Machine Studying: Machine learning-based anomaly detection programs might be educated to acknowledge deviations in TCP site visitors. These programs can study what regular site visitors appears to be like like and flag communications that fall exterior the anticipated parameters, similar to sudden ports or communication patterns.
8. Menace Intelligence Integration: Incorporate menace intelligence feeds that present indicators of compromise (IOCs) associated to TCP-based C2 exercise. These IOCs can embrace IP addresses, domains, and port numbers related to identified menace actors, serving to to determine malicious connections.
9. Deception Strategies: Deploy deception applied sciences similar to honeypots and honeytokens to lure attackers into revealing their TCP-based C2 channels. These instruments can present priceless insights into attacker habits and assist determine the strategies used to determine C2 connections.
10. Superior Menace Looking: Interact in proactive menace looking to determine and mitigate TCP-based C2 channels. Menace hunters can seek for indicators of TCP-based C2 communications by analyzing community logs, correlating endpoint exercise, and using menace intelligence.
11. Common Safety Audits: Conduct common safety audits to evaluate the effectiveness of your defenses towards TCP-based threats. Audits ought to embrace testing your capability to detect and reply to TCP-based C2 communications, in addition to reviewing community configurations and entry controls.
12. Worker Coaching and Consciousness: Educate workers in regards to the risks of phishing and different social engineering ways used to compromise programs. Many TCP-based C2 channels are established after an preliminary an infection, typically delivered through e-mail or malicious web sites. By elevating consciousness, you possibly can cut back the chance of a profitable compromise.

 

Conclusion

In the end, the important thing to mitigating the danger posed by TCP-based C2 communications – or any menace – lies in steady vigilance, adaptability, and a dedication to staying knowledgeable in regards to the newest developments within the menace panorama. As C2 communication ways proceed to evolve, organizations which are proactive of their method to cybersecurity shall be greatest positioned to detect, reply to, and forestall these rising threats.

 

Indicators of Compromise

Ceaselessly Seen C2 Server IPs – August 2024

3.64.4.198
3.67.161.133
3.125.188.168
3.126.224.214
18.158.58.205
18.197.239.109
18.229.146.63
35.158.159.254
154.248.27.182
209.25.141.212

Most Widespread C2 Communication Ports – August 2024

23
2404
4444
7443
8443
8848
8888
31337
50050
60000