During an Advanced Persistent Threat (APT) campaign, adversaries must maintain active connections with compromised systems. While the initial malware is crucial, establishing a Command and Control (C&C) infrastructure is essential for interacting with infected hosts. The C&C infrastructure allows attackers to upgrade malware, launch further attacks, and facilitate data exfiltration. Attackers aim to keep C&C operations stealthy, undetected by network monitoring systems, and resilient to takedowns.
Types of C&C Infrastructures
C&C infrastructure can vary in complexity based on the adversary’s tactics and resources. It can be as simple as a single server or as complex as a chain of servers, sometimes leveraging legitimate cloud infrastructures and techniques like steganography and covert communications. In some cases, C&C servers are established within the compromised network to minimize traces on the target’s egress network, making detection more difficult.
The sophistication of C&C infrastructure often reflects the resources and priorities of the APT group. Well-funded and skilled APT groups tend to use more sophisticated C&C setups to maintain stealth and longevity. Conversely, simpler infrastructures may indicate limited resources or lower campaign priority.
Command and Control Techniques
The primary concern for APT attackers is making communications between malware and the C&C server stealthy to avoid detection. Several techniques are employed to achieve this:
Spoofing Legitimate Domain Names
Attackers often use domain names that resemble legitimate services to blend malicious traffic with regular traffic. Examples include:
- nt-windows-update[.]com (Black Energy)
- microsoft-msdn[.]com (Black Energy)
- yahoodaily[.]com (APT1)
- smartclick[.]org (Stuxnet)
Hiding C&C Location
Dynamic DNS services like NoIP and DynDNS are used to provide anonymity, allowing attackers to change domain name and IP mappings quickly if needed. This is facilitated by short TTL (Time to Live) values.
C&C via Proxies
APT groups often use intermediate servers (proxies) to increase stealth and availability of C&C servers. Tools like socat and netcat are used to redirect network traffic, making it harder to trace the C&C server’s actual location.
Covert Channels – HTTP/HTTPS
APT groups frequently use covert channels to mask communications. These channels are often encrypted and use common ports like 80 and 443, which are typically allowed for outgoing connections in secured environments. The communication can be either legitimate HTTP protocol or binary communication, often passing through proxies to further obscure the C&C server’s location.
Covert Channels – DNS
DNS is another method used by APTs for covert channels. Attackers register malicious domains and use special software on their C&C server to embed commands in DNS response packets. Tools like dnscat2 can be used to encapsulate C&C messages within DNS queries.
Example of C&C Communication
An example of C&C communication involves a Metasploit’s HTTP agent establishing a connection where commands are passed interactively or semi-interactively. Commands and results are transferred through the established channel, with communications often encrypted at both the transport (SSL/TLS) and application levels.
Covert Channel – Email
Attackers can use email servers as C&C channels. A pre-configured email account is used to submit commands, and the infected machine checks this account for new tasks, executing commands and returning results via email.
Example of Gmail C&C
Using a tool like gdog, attackers can use Gmail for C&C infrastructure. The infected host sends an initial check-in email with basic information and a unique identifier. Commands are then sent from the attacker’s computer, and responses are received as emails, with all transmitted information encrypted for security.
Conclusion
The C&C infrastructure is a critical component of APT campaigns, enabling efficient control of infected machines and execution of malicious activities. The implementation varies based on the APT group and campaign specifics, often combining multiple techniques to evade detection and maintain control.