Skip to content

T1071.002 File Transfer Protocols

Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

Item Value
ID T1071.002
Sub-techniques T1071.001, T1071.002, T1071.003, T1071.004
Tactics TA0011
Platforms Linux, Windows, macOS
Version 1.0
Created 15 March 2020
Last Modified 21 August 2020

Procedure Examples

ID Name Description
G0096 APT41 APT41 used exploit payloads that initiate download via ftp.17
S0438 Attor Attor has used FTP protocol for C2 communication.6
S0465 CARROTBALL CARROTBALL has the ability to use FTP in C2 communications.3
S0201 JPIN JPIN can communicate over FTP.5
S0265 Kazuar Kazuar uses FTP and FTPS to communicate with the C2 server.11
G0094 Kimsuky Kimsuky has used FTP to download additional malware to the target machine.18
S0409 Machete Machete uses FTP for Command & Control.121314
S0699 Mythic Mythic supports SMB-based peer-to-peer C2 profiles.2
S0353 NOKKI NOKKI has used FTP for C2 communications.9
C0006 Operation Honeybee During Operation Honeybee, the threat actors had the ability to use FTP for C2.19
S0428 PoetRAT PoetRAT has used FTP for C2 communications.4
S0596 ShadowPad ShadowPad has used FTP for C2 communications.8
G0083 SilverTerrier SilverTerrier uses FTP for C2 communications.16
S0464 SYSCON SYSCON has the ability to use FTP in C2 communications.153
S0161 XAgentOSX XAgentOSX contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system.10
S0412 ZxShell ZxShell has used FTP for C2 connections.7

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

Detection

ID Data Source Data Component
DS0029 Network Traffic Network Traffic Content

References


  1. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. 

  2. Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022. 

  3. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020. 

  4. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. 

  5. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. 

  6. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  7. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  8. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. 

  9. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. 

  10. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy’s Xagent macOS Tool. Retrieved July 12, 2017. 

  11. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  12. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  13. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  14. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. 

  15. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020. 

  16. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018. 

  17. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. 

  18. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020. 

  19. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.