T1573.002 Asymmetric Cryptography
Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.
For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as Asymmetric Cryptography.
Item | Value |
---|---|
ID | T1573.002 |
Sub-techniques | T1573.001, T1573.002 |
Tactics | TA0011 |
Platforms | Linux, Windows, macOS |
Version | 1.0 |
Created | 16 March 2020 |
Last Modified | 20 April 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0202 | adbupd | adbupd contains a copy of the OpenSSL library to encrypt C2 traffic.53 |
S0045 | ADVSTORESHELL | A variant of ADVSTORESHELL encrypts some C2 with RSA.51 |
S0438 | Attor | Attor‘s Blowfish key is encrypted with a public RSA key.29 |
S0534 | Bazar | Bazar can use TLS in C2 communications.41 |
S0017 | BISCUIT | BISCUIT uses SSL for encrypting C2 communications.44 |
C0021 | C0021 | During C0021, the threat actors used SSL via TCP port 443 for C2 communications.76 |
S0335 | Carbon | Carbon has used RSA encryption for C2 communications.50 |
S0023 | CHOPSTICK | CHOPSTICK encrypts C2 communications with TLS.40 |
G0080 | Cobalt Group | Cobalt Group has used the Plink utility to create SSH tunnels.73 |
S0154 | Cobalt Strike | Cobalt Strike can use RSA asymmetric encryption with PKCS1 padding to encrypt data sent to the C2 server.16 |
S0126 | ComRAT | ComRAT can use SSL/TLS encryption for its HTTP-based C2 channel. ComRAT has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.3839 |
S0687 | Cyclops Blink | Cyclops Blink can encrypt C2 messages with AES-256-CBC sent underneath TLS. OpenSSL library functions are also used to encrypt each message using a randomly generated key and IV, which are then encrypted using a hard-coded RSA public key.43 |
S0673 | DarkWatchman | DarkWatchman can use TLS to encrypt its C2 channel.21 |
S0600 | Doki | Doki has used the embedTLS library for network communications.46 |
S0384 | Dridex | Dridex has encrypted traffic with RSA.22 |
S0367 | Emotet | Emotet is known to use RSA keys for encrypting C2 traffic. 37 |
S0363 | Empire | Empire can use TLS to encrypt its C2 channel.4 |
G0037 | FIN6 | FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.75 |
G0061 | FIN8 | FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.70 |
S0168 | Gazer | Gazer uses custom encryption for C2 that uses RSA.6061 |
S0588 | GoldMax | GoldMax has RSA-encrypted its communication with the C2 server.30 |
S0531 | Grandoreiro | Grandoreiro can use SSL in C2 communication.49 |
S0342 | GreyEnergy | GreyEnergy encrypts communications using RSA-2048.64 |
S0632 | GrimAgent | GrimAgent can use a hardcoded server public RSA key to encrypt the first request to C2.47 |
S0087 | Hi-Zor | Hi-Zor encrypts C2 traffic with TLS.31 |
S0483 | IcedID | IcedID has used SSL and TLS in communications with C2.1415 |
S1051 | KEYPLUG | KEYPLUG can use TLS-encrypted WebSocket Protocol (WSS) for C2.48 |
S0250 | Koadic | Koadic can use SSL and TLS for communications.5 |
S0641 | Kobalos | Kobalos‘s authentication and key exchange is performed using RSA-512.6768 |
S0409 | Machete | Machete has used TLS-encrypted FTP to exfiltrate data.63 |
S0455 | Metamorfo | Metamorfo‘s C2 communication has been encrypted using OpenSSL.52 |
S0699 | Mythic | Mythic supports SSL encrypted C2.6 |
G0049 | OilRig | OilRig used the Plink utility and other tools to create tunnels to C2 servers.74 |
C0014 | Operation Wocao | During Operation Wocao, threat actors’ proxy implementation “Agent” upgraded the socket in use to a TLS socket.77 |
S0556 | Pay2Key | Pay2Key has used RSA encrypted communications with C2.13 |
S0587 | Penquin | Penquin can encrypt communications using the BlowFish algorithm and a symmetric key exchanged with Diffie Hellman.59 |
S0428 | PoetRAT | PoetRAT used TLS to encrypt command and control (C2) communications.20 |
S0150 | POSHSPY | POSHSPY encrypts C2 traffic with AES and RSA.19 |
S0223 | POWERSTATS | POWERSTATS has encrypted C2 traffic with RSA.27 |
S0192 | Pupy | Pupy‘s default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES.11 |
S0496 | REvil | REvil has encrypted C2 communications with the ECIES algorithm.18 |
S0448 | Rising Sun | Rising Sun variants can use SSL for encrypting C2 communications.17 |
S0382 | ServHelper | ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP.12 |
S0633 | Sliver | Sliver can use mutual TLS and RSA cryptography to exchange a session key.789 |
S1035 | Small Sieve | Small Sieve can use SSL/TLS for its HTTPS Telegram Bot API-based C2 channel.69 |
S0627 | SodaMaster | SodaMaster can use a hardcoded RSA key to encrypt some of its C2 traffic.58 |
S0615 | SombRAT | SombRAT can SSL encrypt C2 traffic.232425 |
S0491 | StrongPity | StrongPity has encrypted C2 traffic using SSL/TLS.32 |
S0018 | Sykipot | Sykipot uses SSL for encrypting C2 communications.65 |
S0668 | TinyTurla | TinyTurla has the ability to encrypt C2 traffic with SSL/TLS.66 |
S0183 | Tor | Tor encapsulates traffic in multiple layers of encryption, using TLS by default.10 |
S0094 | Trojan.Karagany | Trojan.Karagany can secure C2 communications with SSL and TLS.54 |
G0081 | Tropic Trooper | Tropic Trooper has used SSL to connect to C2 servers.7172 |
S0180 | Volgmer | Some Volgmer variants use SSL to encrypt C2 communications.28 |
S0366 | WannaCry | WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit.26 |
S0515 | WellMail | WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.6236 |
S0514 | WellMess | WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates.33343536 |
S1065 | Woody RAT | Woody RAT can use RSA-4096 to encrypt data sent to its C2 server.42 |
S0117 | XTunnel | XTunnel uses SSL/TLS and RC4 to encrypt traffic.4540 |
S0251 | Zebrocy | Zebrocy uses SSL and AES ECB for encrypting C2 communications.555657 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1031 | Network Intrusion Prevention | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
M1020 | SSL/TLS Inspection | SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0029 | Network Traffic | Network Traffic Content |
References
-
Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016. ↩
-
Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016. ↩
-
Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩
-
Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018. ↩
-
Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022. ↩
-
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. ↩
-
Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021. ↩
-
BishopFox. (n.d.). Sliver Transport Encryption. Retrieved September 16, 2021. ↩
-
Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017. ↩
-
Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. ↩
-
Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021. ↩
-
Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020. ↩
-
Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. ↩
-
Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. ↩
-
I. Ilascu. (2019, March 3). Op ‘Sharpshooter’ Connected to North Korea’s Lazarus Group. Retrieved September 26, 2022. ↩
-
Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. ↩
-
Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017. ↩
-
Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. ↩
-
Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. ↩
-
Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019. ↩
-
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. ↩
-
McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. ↩
-
CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. ↩
-
Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. ↩
-
Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. ↩
-
US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. ↩
-
Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. ↩
-
Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. ↩
-
Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016. ↩
-
Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. ↩
-
PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. ↩
-
PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020. ↩
-
CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. ↩
-
National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. ↩↩
-
Trend Micro. (2019, January 16). Exploring Emotet’s Activities . Retrieved March 25, 2019. ↩
-
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. ↩
-
CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. ↩
-
ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. ↩↩
-
Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020. ↩
-
MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. ↩
-
NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022. ↩
-
Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. ↩
-
Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016. ↩
-
Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. ↩
-
Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. ↩
-
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. ↩
-
Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. ↩
-
Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. ↩
-
Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. ↩
-
Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. ↩
-
Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. ↩
-
Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. ↩
-
ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. ↩
-
ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. ↩
-
CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. ↩
-
GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. ↩
-
Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. ↩
-
ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. ↩
-
CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. ↩
-
The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. ↩
-
Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. ↩
-
Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014. ↩
-
Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. ↩
-
M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021. ↩
-
M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021. ↩
-
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. ↩
-
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. ↩
-
Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018. ↩
-
Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. ↩
-
Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. ↩
-
Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. ↩
-
FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. ↩
-
Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. ↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩