Skip to content

T1573 Encrypted Channel

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

Item Value
ID T1573
Sub-techniques T1573.001, T1573.002
Tactics TA0011
Platforms Linux, Windows, macOS
Version 1.0
Created 16 March 2020
Last Modified 20 April 2021

Procedure Examples

ID Name Description
G0016 APT29 APT29 has used multiple layers of encryption within malware to protect C2 communication.16
G1002 BITTER BITTER has encrypted their C2 communications.14
S0631 Chaes Chaes has used encryption for its C2 channel.4
S0498 Cryptoistic Cryptoistic can engage in encrypted communications with C2.8
S0032 gh0st RAT gh0st RAT has encrypted TCP communications to evade detection.9
S0681 Lizar Lizar can support encrypted communications between the client and server.1112
S1016 MacMa MacMa has used TLS encryption to initialize a custom protocol for C2 communications.10
G0059 Magic Hound Magic Hound has used an encrypted http proxy in C2 communications.17
S0198 NETWIRE NETWIRE can encrypt C2 communications.6
S1012 PowerLess PowerLess can use an encrypted channel for C2 communications.13
S1046 PowGoop PowGoop can receive encrypted commands from C2.7
S0662 RCSession RCSession can use an encrypted beacon to check in with C2.5
G0081 Tropic Trooper Tropic Trooper has encrypted traffic with the C2 to prevent network detection.15

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
M1020 SSL/TLS Inspection SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.

Detection

ID Data Source Data Component
DS0029 Network Traffic Network Traffic Content

References

  1. Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016. 

  2. Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016. 

  3. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. 

  4. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  5. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  6. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. 

  7. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  8. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020. 

  9. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. 

  10. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  11. Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022. 

  12. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. 

  13. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022. 

  14. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022. 

  15. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  16. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022. 

  17. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.