Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

ID: T1102
Sub-techniques:  T1102.001, T1102.002, T1102.003
Platforms: Linux, Windows, macOS
Permissions Required: User
Contributors: Anastasios Pingios
Version: 1.1
Created: 31 May 2017
Last Modified: 26 March 2020

Procedure Examples

ID Name Description
G0050 APT32

APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.[1]

S0534 Bazar

Bazar downloads have been hosted on Google Docs.[2][3]

S0635 BoomBox

BoomBox can download files from Dropbox using a hardcoded access token.[4]

S0335 Carbon

Carbon can use Pastebin to receive C2 commands.[5]

S0674 CharmPower

CharmPower can download additional modules from actor-controlled Amazon S3 buckets.[6]

S0600 Doki

Doki has used the dogechain.info API to generate a C2 address.[7]

S0547 DropBook

DropBook can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions.[8][9]

G0037 FIN6

FIN6 has used Pastebin and Google Storage to host content for their operations.[10]

G0061 FIN8

FIN8 has used sslip.io, a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control.[11]

G0117 Fox Kitten

Fox Kitten has used Amazon Web Services to host C2.[12]

G0047 Gamaredon Group

Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.[13]

S0561 GuLoader

GuLoader has the ability to download malware from Google Drive.[14]

S0601 Hildegard

Hildegard has downloaded scripts from GitHub.[15]

G0100 Inception

Inception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe.[16][17]

G0140 LazyScripter

LazyScripter has used GitHub to host its payloads to operate spam campaigns.[18]

G0129 Mustang Panda

Mustang Panda has used DropBox URLs to deliver variants of PlugX.[19]

S0198 NETWIRE

NETWIRE has used web services including Paste.ee to host payloads.[20]

S0508 Ngrok

Ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.[21]

G0106 Rocke

Rocke has used Pastebin, Gitee, and GitLab for Command and Control.[22][23]

S0546 SharpStage

SharpStage has used a legitimate web service for evading detection.[8]

S0589 Sibot

Sibot has used a legitimate compromised website to download DLLs to the victim's machine.[24]

S0649 SMOKEDHAM

SMOKEDHAM has used Google Drive and Dropbox to host files downloaded by victims via malicious links.[25]

G0139 TeamTNT

TeamTNT has leveraged iplogger.org to send collected data back to C2.[26]

G0010 Turla

Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.[5][27]

S0689 WhisperGate

WhisperGate can download additional payloads hosted on a Discord channel.[28][29][30][31][32]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

M1021 Restrict Web-Based Content

Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services.

Detection

ID Data Source Data Component
DS0029 Network Traffic Network Connection Creation
Network Traffic Content
Network Traffic Flow

Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.[33]

References

  1. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  2. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  3. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
  4. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  5. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  6. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  7. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  8. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  9. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  10. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  11. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
  12. ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020.
  13. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  14. Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.
  15. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  16. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  17. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  1. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  2. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  3. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  4. Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.
  5. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  6. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  7. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  8. FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.
  9. Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.
  10. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  11. Crowdstrike. (2022, January 19). Technical Analysis of the WhisperGate Malicious Bootloader. Retrieved March 10, 2022.
  12. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  13. MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022.
  14. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  15. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
  16. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.