ID | Name |
---|---|
T1573.001 | Symmetric Cryptography |
T1573.002 | Asymmetric Cryptography |
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.
ID | Name | Description |
---|---|---|
S0066 | 3PARA RAT |
3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS. 3PARA RAT will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS if the DES decoding fails[1] |
S0065 | 4H RAT |
4H RAT obfuscates C2 communication using a 1-byte XOR with the key 0xBE.[1] |
S0045 | ADVSTORESHELL |
A variant of ADVSTORESHELL encrypts some C2 with 3DES.[2] |
G0007 | APT28 |
APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.[3] |
G0064 | APT33 |
APT33 has used AES for encryption of command and control traffic.[4] |
S0438 | Attor |
Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key.[5] |
S0344 | Azorult | |
S0245 | BADCALL | |
S0128 | BADNEWS |
BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.[9][10] |
S0234 | Bandook | |
S0534 | Bazar | |
S0127 | BBSRAT |
BBSRAT uses a custom encryption algorithm on data sent back to the C2 server over HTTP.[13] |
S0574 | BendyBear |
BendyBear communicates to a C2 server over port 443 using modified RC4 and XOR-encrypted chunks.[14] |
S0268 | Bisonal |
Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.[15][16] |
S0520 | BLINDINGCAN |
BLINDINGCAN has encrypted its C2 traffic with RC4.[17] |
S0486 | Bonadan | |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.[19] |
S0077 | CallMe | |
S0030 | Carbanak |
Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.[21][22] |
S0348 | Cardinal RAT |
Cardinal RAT uses a secret key with a series of XOR and addition operations to encrypt C2 traffic.[23] |
S0220 | Chaos |
Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.[24] |
S0144 | ChChes | |
S0023 | CHOPSTICK | |
S0154 | Cobalt Strike |
Cobalt Strike has the ability to use AES-256 symmetric encryption in CBC mode with HMAC-SHA-256 to encrypt task commands and XOR to encrypt shell code and configuration data.[28] |
S0244 | Comnie |
Comnie encrypts command and control communications with RC4.[29] |
S0137 | CORESHELL |
CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.[30] |
S0050 | CosmicDuke |
CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.[31] |
G0012 | Darkhotel |
Darkhotel has used AES-256 and 3DES for C2 communications.[32] |
S0187 | Daserf | |
S0021 | Derusbi |
Derusbi obfuscates C2 traffic with variable 4-byte XOR keys.[33] |
S0200 | Dipsind | |
S0472 | down_new |
down_new has the ability to AES encrypt C2 communications.[35] |
S0134 | Downdelph | |
S0384 | Dridex | |
S0038 | Duqu |
The Duqu command and control protocol's data stream can be encrypted with AES-CBC.[38] |
S0377 | Ebury |
Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.[39] |
S0081 | Elise | |
S0082 | Emissary |
The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.[41] |
S0091 | Epic |
Epic encrypts commands from the C2 server using a hardcoded key.[42] |
S0569 | Explosive |
Explosive has encrypted communications with the RC4 method.[43] |
S0076 | FakeM |
The original variant of FakeM encrypts C2 traffic using a custom encryption cipher that uses an XOR key of "YHCRA" and bit rotation between each XOR operation. Some variants of FakeM use RC4 to encrypt C2 traffic.[20] |
S0181 | FALLCHILL | |
S0512 | FatDuke | |
S0171 | Felismus |
Some Felismus samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys.[47] |
S0381 | FlawedAmmyy |
FlawedAmmyy has used SEAL encryption during the initial C2 handshake.[48] |
G0101 | Frankenstein |
Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.[49] |
S0168 | Gazer | |
S0032 | gh0st RAT | |
S0342 | GreyEnergy |
GreyEnergy encrypts communications using AES256.[53] |
S0632 | GrimAgent |
GrimAgent can use an AES key to encrypt C2 communications.[54] |
S0132 | H1N1 | |
S0037 | HAMMERTOSS |
Before being appended to image files, HAMMERTOSS commands are encrypted with a key composed of both a hard-coded value and a string contained on that day's tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day's tweet, and the image file containing the command.[56] |
S0170 | Helminth |
Helminth encrypts data sent to its C2 server over HTTP with RC4.[57] |
S0087 | Hi-Zor |
Hi-Zor encrypts C2 traffic with a double XOR using two distinct single-byte keys.[58] |
S0394 | HiddenWasp |
HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication.[59] |
G0126 | Higaisa | |
S0009 | Hikit | |
S0431 | HotCroissant |
HotCroissant has compressed network communications and encrypted them with a custom stream cipher.[62][63] |
S0068 | httpclient |
httpclient encrypts C2 content with XOR using a single byte, 0x12.[1] |
S0203 | Hydraq |
Hydraq C2 traffic is encrypted using bitwise NOT and XOR operations.[64] |
S0537 | HyperStack |
HyperStack has used RSA encryption for C2 communications.[65] |
G0100 | Inception |
Inception has encrypted network communications with AES.[66] |
S0260 | InvisiMole |
InvisiMole uses variations of a simple XOR encryption routine for C&C communications.[67] |
S0271 | KEYMARBLE |
KEYMARBLE uses a customized XOR algorithm to encrypt C2 communications.[68] |
S0641 | Kobalos |
Kobalos's post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic.[69][70] |
S0162 | Komplex |
The Komplex C2 channel uses an 11-byte XOR algorithm to hide data.[71] |
G0032 | Lazarus Group |
Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads.[72][73][74][75] |
S0395 | LightNeuron |
LightNeuron uses AES to encrypt C2 traffic.[76] |
S0582 | LookBack |
LookBack uses a modified version of RC4 for data transfer.[77] |
S0532 | Lucifer |
Lucifer can perform a decremental-xor encryption on the initial C2 request before sending it over the wire.[78] |
S0010 | Lurid | |
S0409 | Machete | |
S0455 | Metamorfo | |
S0149 | MoonWind |
MoonWind encrypts C2 traffic using RC4 with a static key.[82] |
S0284 | More_eggs |
More_eggs has used an RC4-based encryption method for its C2 communications.[83] |
S0256 | Mosquito |
Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.[84] |
G0129 | Mustang Panda |
Mustang Panda has encrypted C2 communications with RC4.[85] |
S0336 | NanoCore | |
S0272 | NDiskMonitor |
NDiskMonitor uses AES to encrypt certain information sent over its C2 channel.[10] |
S0630 | Nebulae |
Nebulae can use RC4 and XOR to encrypt C2 communications.[87] |
S0034 | NETEAGLE |
NETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key "ScoutEagle."[88] |
S0198 | NETWIRE | |
S0439 | Okrum |
Okrum uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase. [90] |
S0501 | PipeMon | |
S0254 | PLAINTEE | |
S0435 | PLEAD | |
S0012 | PoisonIvy |
PoisonIvy uses the Camellia cipher to encrypt communications.[94] |
S0371 | POWERTON | |
S0113 | Prikormka |
Prikormka encrypts some C2 traffic with the Blowfish cipher.[95] |
S0650 | QakBot | |
S0262 | QuasarRAT |
QuasarRAT uses AES to encrypt network communication.[97][98] |
S0629 | RainyDay | |
S0495 | RDAT |
RDAT has used AES ciphertext to encode C2 communications.[99] |
S0153 | RedLeaves |
RedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.[100] |
S0433 | Rifdoor |
Rifdoor has encrypted command and control (C2) communications with a stream cipher.[62] |
S0003 | RIPTIDE |
APT12 has used the RIPTIDE RAT, which communicates over HTTP with a payload encrypted with RC4.[101] |
S0148 | RTM | |
S0074 | Sakula | |
S0053 | SeaDuke |
SeaDuke C2 traffic has been encrypted with RC4 and AES.[104][105] |
S0610 | SideTwist |
SideTwist can encrypt C2 communications with a randomly generated key.[106] |
S0633 | Sliver |
Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.[107] |
S0649 | SMOKEDHAM | |
S0159 | SNUGRIDE |
SNUGRIDE encrypts C2 traffic using AES with a static key.[109] |
S0627 | SodaMaster |
SodaMaster can use RC4 to encrypt C2 communications.[110] |
G0038 | Stealth Falcon |
Stealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key.[111] |
S0603 | Stuxnet |
Stuxnet encodes the payload of system information sent to the command and control servers using a one byte 0xFF XOR key. Stuxnet also uses a 31-byte long static byte string to XOR data sent to command and control servers. The servers use a different static key to encrypt replies to the implant.[112] |
S0559 | SUNBURST |
SUNBURST encrypted C2 traffic using a single-byte-XOR cipher.[113] |
S0060 | Sys10 | |
S0011 | Taidoor |
Taidoor uses RC4 to encrypt the message body of HTTP content.[115][116] |
S0586 | TAINTEDSCRIBE |
TAINTEDSCRIBE uses a Linear Feedback Shift Register (LFSR) algorithm for network encryption.[117] |
S0266 | TrickBot |
TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.[118]Newer versions of TrickBot have been known to use |
S0436 | TSCookie |
TSCookie has encrypted network communications with RC4.[120] |
S0275 | UPPERCUT |
Some versions of UPPERCUT have used the hard-coded string "this is the encrypt key" for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.[121] |
S0180 | Volgmer |
Volgmer uses a simple XOR cipher to encrypt traffic and files.[122] |
S0514 | WellMess |
WellMess can encrypt HTTP POST data using RC6 and a dynamically generated AES key encrypted with a hard coded RSA public key.[123][124][125] |
S0430 | Winnti for Linux |
Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2).[126] |
S0653 | xCaon |
xCaon has encrypted data sent to the C2 server using a XOR key.[127] |
S0658 | XCSSET |
XCSSET uses RC4 encryption over TCP to communicate with its C2 server.[128] |
S0230 | ZeroT | |
G0128 | ZIRCONIUM |
ID | Mitigation | Description |
---|---|---|
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
ID | Data Source | Data Component |
---|---|---|
DS0029 | Network Traffic | Network Traffic Content |
With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.
In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[132]