1. Home
  2. Techniques
  3. Mobile
  4. Web Service

Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.

These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

ID: T1481
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Command and Control
Platforms: Android, iOS
Version: 1.0
Created: 01 February 2019
Last Modified: 01 February 2019
Provided by LAYER 8

Procedure Examples

ID Name Description
S0310 ANDROIDOS_ANSERVER.A

ANDROIDOS_ANSERVER.A uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.[1]
S0422 Anubis

Anubis can retrieve the C2 address from Twitter and Telegram.[2][3]
S0655 BusyGasper

BusyGasper can be controlled via IRC using freenode.net servers.[4]
S0485 Mandrake

Mandrake has used Firebase for C2.[5]
S0539 Red Alert 2.0

Red Alert 2.0 can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.[6]
S0545 TERRACOTTA

TERRACOTTA has used Firebase for C2 communication.[7]
S0302 Twitoor

Twitoor can be controlled via Twitter.[8]
S0318 XLoader for Android

XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.[9]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

References

  1. Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.
  2. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
  3. K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.
  4. Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.
  5. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  1. J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.
  2. Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.
  3. ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.
  4. Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.