Today we will take a look at the command and control infrastructure (C2) used by cybercriminals to control infected devices and steal confidential data during a cyberattack.
A successful cyberattack is not just an intrusion into the system of an unsuspecting organization. To get real benefit, an attacker must keep the virus running in the target environment at all times, exchange data with infected or compromised devices on the network, and potentially extract confidential data. All of these tasks require a robust command and control infrastructure, or C2. What is C2? In this post, we will answer that question and see how attackers use covert communication channels to carry out sophisticated attacks. We'll also look at how to detect and defend against C2 attacks.
What is C2?
Command and control infrastructure, also known as C2, or C&C, is a collection of tools and techniques that attackers use to communicate with compromised devices after an initial intrusion. The specific attack mechanisms are very different from each other, but usually C2 involves one or more covert communication channels between devices in the attacked organization and the platform controlled by the attacker. These communication channels are used to send instructions to compromised devices, download additional malicious data, and transfer stolen data to an attacker.
There are different forms of C2. At the time of this writing, the MITER ATT & CK database has 16 different command and control methods , each of which has a number of techniques that have been noted in reviews of successfully completed cyberattacks. A common strategy is to mix with other types of legitimate traffic such as HTTP / HTTPS or DNS. Attackers can take other actions to mask their callbacks from the C&C, for example by using encryption or non-standard data encoding types.
Management and control platforms can be completely personalized or standard. Cybercriminals and pentesters use popular platforms such as Cobalt Strike, Covenant, Powershell Empire, and Armitage.
A number of other terms are often heard in the context of C2 or C&C, as listed below.
"Zombie"
A “zombie” is a computer or other type of connected device that is infected with malware and can be remotely controlled by an attacker without the knowledge or consent of the legitimate owner. While some viruses, Trojans, and other malware perform specific actions after infecting a device, the primary goal of many other types of malware is to pave the way for the attacker's C2 infrastructure. The systems of these "zombie" machines can then be hijacked to perform a variety of tasks, from sending out spam e-mails to participating in large-scale DDoS attacks.
Botnet
A botnet is a network of zombie machines used for a common purpose. Botnets can target anything from mining cryptocurrencies to disabling a website using a DDoS attack. Botnets are usually bundled together in a single C2 infrastructure. Also, hackers often sell botnet access to other cybercriminals as an "attack as a service".
Beaconing
Beaconing is the process by which an infected device issues a challenge to the attacker's C2 infrastructure to verify instructions or additional data, often at regular intervals. To avoid detection, some types of malware transmit a signal at random intervals, or may be inactive for a certain period before sending a challenge to their infrastructure.
What can hackers achieve with C2?
Most organizations have sufficient perimeter security to make it difficult for an attacker to initiate a connection from the outside world to the organization's network without being detected. However, outgoing data is often not subject to strict controls and restrictions. This allows malware injected through another channel, such as a phishing email or a compromised website, to establish an outbound communication channel. Using it, a hacker can perform additional actions, for example:
"Horizontal movement" within the victim's organization
Once an attacker has an initial foothold, they typically seek to move horizontally throughout the organization, using their C2 channels to gain information about vulnerable and / or misconfigured hosts. The first machine that is compromised may not be of any value to the attacker, but it serves as a launching pad for access to more important parts of the network. This process can be repeated multiple times until an attacker gains access to a meaningful target, such as a file server or domain controller.
Multi-stage attacks
The most sophisticated cyberattacks are multi-stage. Often, the initial infection is a “dropper” or downloader that communicates with the C2 management infrastructure and downloads additional malicious data. This modular architecture allows an attacker to carry out wide-ranging and narrowly targeted attacks. A dropper can infect thousands of organizations, allowing an attacker to act selectively and create their own second-tier malware to target the most attractive targets. This model also allows the creation of an entire decentralized cybercrime industry. The group that carried out the initial invasion could sell access to the main target (for example, a bank or hospital) to other cybercriminals.
Data exfiltration
C2 channels are often bidirectional, which means an attacker can download or extract (“exfiltrate”) data from the target environment. Increasingly, data theft acts as an additional tool for making claims to the victim; even if an organization can recover data from backups, attackers threaten to reveal stolen and potentially damaging information.
Other users
As noted above, botnets are often used for DDoS attacks on websites and other services. Instructions as to which sites to attack are delivered through C2. Other types of instructions can also be passed through C2. For example, large-scale cryptocurrency mining botnets have been identified . In addition, even more exotic uses of C2 commands are theoretically possible, for example, to disrupt elections or manipulate energy markets .
Models C2
While there are many C2 implementations, the architecture between malware and the C2 platform typically follows one of the following models:
Centralized model
The centralized management and control model is almost identical to standard client-server communications. The malware "client" sends a signal to the C2 server and checks the instructions. In practice, an attacker's server infrastructure is often much more complex and can include redirectors, load balancers, and detection tools for threat hunters and law enforcement officials. Public cloud services and Content Delivery Networks (CDNs) are often used to host or mask C2 activity. Also, hackers regularly break into legitimate websites and use them to host command and control servers without the owner's knowledge.
C2 activity is often detected fairly quickly; domains and servers associated with the attack can be deleted within a few hours after their first use. To counter this, modern malware often contains a whole list of different C2 servers to try to contact. The most sophisticated attacks use additional layers of obfuscation. It was recorded that the malware retrieves a list of C2 servers by GPS coordinates associated with photos , as well as from Instagram comments .
Peer-to-peer model (P2P)
In the P2P C&C model, instructions are delivered in a decentralized manner; the botnet participants exchange messages with each other. Some of the bots can still function as servers, but without a central or "master" site. The operation of such a model is much more difficult to influence than a centralized model, but at the same time it is more difficult for an attacker to communicate instructions to the entire botnet. P2P networks are sometimes used as a backup mechanism in case of failure of the main C2 link.
External Controlled Random Channel Model
A number of unusual methods have been fixed for transmitting instructions to infected hosts. Hackers use social media platforms extensively as unconventional C2 platforms as they are rarely blocked. A project called Twittor is building a full-featured management and control platform using Twitter private messages. There are also reported hackers sending C&C messages to compromised hosts via Gmail, IRC chats, and even Pinterest. In addition, in theory, the command and control infrastructure can be completely random. This means that an attacker scans large sections of the Internet in the hope of finding an infected host.
C2 traffic detection and blocking
C2 traffic is extremely difficult to detect because attackers go to great lengths to avoid being noticed. However, there are tremendous opportunities on the defense side, because by disrupting the work of C2, you can prevent more serious incidents. Many large-scale cyberattacks were detected when researchers noticed C2 activity. Here are some common ways to detect and block management and control traffic on your network:
Monitoring and filtering outgoing traffic
Many organizations pay little attention to the traffic originating from their network, focusing solely on the inbound threats. This vulnerability makes it easier for an attacker to manage and control. Carefully designed outbound firewall rules will make it difficult for fraudsters to open covert communication channels. For example, limiting outbound DNS queries to only organization-controlled servers can reduce the threat of DNS tunneling . You can use proxy servers to check outgoing web traffic, but you must always configure SSL / TLS inspection because hackers also use encryption. DNS filtering services can help prevent callbacks from C2 to suspicious or newly registered domains.
Watch out for the lighthouses
Beacons can be an indicator of the presence of command and control on your network, but they are often difficult to spot. Most IDS / IPS solutions identify beacons associated with off-the-shelf frameworks like Metasploit and Cobalt Strike, but attackers can easily change their settings to make them much more difficult to detect. For deeper network traffic analysis (NTA), you can use a tool like RITA . In some cases, threat teams go so far as to manually check packet dumps using Wireshark , tcpdump, and similar tools.
Keep logs and check
Maintaining log files from as many sources as possible is vital to looking for signs of command and control traffic. Often a very deep analysis is required to distinguish C2 traffic from legitimate applications. Security analysts may need to look for unusual patterns, check the payload of seemingly harmless HTTPS or DNS requests, and perform other types of statistical analysis. The more information an analyst or threat hunter uses, the better.
Compare data from different sources
The general essence of a command and control infrastructure is to perform certain actions, such as accessing important files or infecting a large number of hosts. Hunting for C&C based on data analysis and network parameters increases the likelihood of detecting well-disguised cyber attacks. This is exactly the approach that Varonis Edge uses , providing maximum transparency to identify internal threats and targeted attacks.
Conclusion
The command and control infrastructure provides good opportunities for defenders. Blocking C&C traffic or “stripping” an attacker's C2 infrastructure can stop a cyberattack. Addressing C2 should be part of an overall information security strategy that includes best cyber hygiene practices, security training for staff, and well-designed policies and procedures. All of this is critical to reducing threats from the command and control infrastructure.