1. Home
  2. Techniques
  3. Mobile
  4. Standard Cryptographic Protocol

Standard Cryptographic Protocol

Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.

ID: T1521
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Command and Control
Platforms: Android, iOS
Version: 1.0
Created: 01 October 2019
Last Modified: 01 October 2019
Provided by LAYER 8

Procedure Examples

ID Name Description
S0529 CarbonSteal

CarbonSteal has performed rudimentary SSL certificate validation to verify C2 server authenticity before establishing a SSL connection.[1]
S0555 CHEMISTGAMES

CHEMISTGAMES has used HTTPS for C2 communication.[2]

S0507 eSurv

eSurv’s Android version has used public key encryption and certificate pinning for C2 communication.[3]
S0478 EventBot

EventBot has encrypted base64-encoded payload data using RC4 and Curve25519.[4]
S0411 Rotexy

Rotexy encrypts JSON HTTP payloads with AES.[5]

S0549 SilkBean

SilkBean has used HTTPS for C2 communication.[1]
S0302 Twitoor

Twitoor encrypts its C2 communication.[6]
G0112 Windshift

Windshift has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.[7]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is undetectable to the user.

References

  1. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  2. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
  3. A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.
  4. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.
  1. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
  2. ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.
  3. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.