T1573 Encrypted Channel
Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
| Item | Value |
|---|---|
| ID | T1573 |
| Sub-techniques | T1573.001, T1573.002 |
| Tactics | TA0011 |
| Platforms | Linux, Windows, macOS |
| Version | 1.0 |
| Created | 16 March 2020 |
| Last Modified | 20 April 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0016 | APT29 | APT29 has used multiple layers of encryption within malware to protect C2 communication.12 |
| S0631 | Chaes | Chaes has used encryption for its C2 channel.9 |
| S0498 | Cryptoistic | Cryptoistic can engage in encrypted communications with C2.10 |
| S0032 | gh0st RAT | gh0st RAT has encrypted TCP communications to evade detection.7 |
| S0681 | Lizar | Lizar can support encrypted communications between the client and server.56 |
| S0198 | NETWIRE | NETWIRE can encrypt C2 communications.4 |
| S0662 | RCSession | RCSession can use an encrypted beacon to check in with C2.8 |
| G0081 | Tropic Trooper | Tropic Trooper has encrypted traffic with the C2 to prevent network detection.11 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1031 | Network Intrusion Prevention | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
| M1020 | SSL/TLS Inspection | SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0029 | Network Traffic | Network Traffic Content |
References
-
Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016. ↩
-
Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016. ↩
-
Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. ↩
-
Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. ↩
-
Seals, T.. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022. ↩
-
BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. ↩
-
Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. ↩
-
Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. ↩
-
Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. ↩
-
Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020. ↩
-
Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. ↩
-
Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022. ↩