T1481.001 Dead Drop Resolver
Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed).
| Item | Value |
|---|---|
| ID | T1481.001 |
| Sub-techniques | T1481.001, T1481.002, T1481.003 |
| Tactics | TA0037 |
| Platforms | Android, iOS |
| Version | 1.1 |
| Created | 06 April 2022 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0310 | ANDROIDOS_ANSERVER.A | ANDROIDOS_ANSERVER.A uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.4 |
| S0422 | Anubis | Anubis can retrieve the C2 address from Twitter and Telegram.32 |
| S0539 | Red Alert 2.0 | Red Alert 2.0 can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.5 |
| S0318 | XLoader for Android | XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.1 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | Network Communication |
References
-
Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020. ↩
-
K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021. ↩
-
M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020. ↩
-
Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017. ↩
-
J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020. ↩