command-and-control server (C&C server)IntroductionA computer that sends instructions to digital devices infected with rootkits or other malware, like ransomware, is known as a command-and-control server, or C&C server. C&C servers can be used to build robust networks of infected devices that are able to extort money by encrypting data, deleting data, or launching distributed denial-of-service (DDoS) attacks. A C&C server could run for several years and was frequently physically controlled by an attacker in the past. Nowadays, C&C servers typically don't last long; they frequently live in legitimate cloud services and employ automated domain creation algorithms to evade detection by law enforcement and ethical malware hunters. How does a C&C server work?A malicious remote server, also referred to as a C&C server, needs to penetrate an already-infected system in order for a C&C attack to occur. The majority of devices, including PCs, tablets, smartphones, and Internet of Things devices, are susceptible to this kind of attack. Attacks against command-and-control servers usually happen via the following channels:
Once a device has been successfully invaded, a threat actor communicates with the malicious C&C server to instruct the compromised host and create a malicious network. A botnet is a malicious network that is controlled by a command-and-control server; its member network nodes are also known as zombies. Beaconing is another way that instructions or extra payloads can be sent between the infected device and the C&C server. Additional malware is installed once the compromised host begins carrying out the commands sent by the C&C server, giving the threat actor complete control over the compromised machine. Popular botnet topologiesA botnet is a collection of internet-connected, malware-infected bots under threat actor control. Although peer-to-peer (P2P) botnets are becoming more popular due to their decentralized architecture, which gives threat actors more control, most botnets have a centralized command-and-control architecture. Among the most common botnet topologies are the following:
A classic botnet typically comprises bots infected with a Trojan horse, communicating with a central command and control server through Internet Relay Chat (IRC). Such botnets are often employed for distributing malware or spam and harvesting sensitive data like credit card numbers. However, IRC communication is now commonly shunned due to its association with botnet control, leading cybercriminals to innovate new covert methods for C&C server communication. These alternative channels include utilizing dummy accounts on social media platforms like LinkedIn or Twitter, embedding commands within JPEG images, and concealing instructions within Microsoft Word files. Common uses of Command and ControlCommand and control servers find primary usage among organizations seeking centralized management of their network devices, facilitating efficient deployment and administration of applications and policies. Additionally, they provide insights into network conditions, aiding in monitoring performance and activity. Notably, command and control servers serve several functions, elaborated below. 1. Malware ManagementAttackers are able to keep control over their malware and carry out malicious actions whenever they choose because of malware management. It enables the attacker to monitor the infection's progress and modify their attack plan as necessary. From the attacker's point of view, there are various benefits:
In order to stop the attacker and the devices from communicating, the security team should:
2. Botnet controlBotnets are collections of hosts that are under the control of malevolent actors and have been infected with malware in the era of ubiquitous computing and the Internet of Things. It has previously been established that botnets have the ability to spread malware, commit distributed denial-of-service attacks, steal data, and send spam. Infected hosts are simply referred to as bots, while C&C servers are known as bot masters. Distributed malicious attacks can be launched via LAN or the internet against the infected hosts or other hosts that are connected, thanks to the architecture of the C&C server. In general, there are two basic architectural structures that botnets can have:
The way commands are sent across the C&C channel defines these structures. In centralized botnets, bots are controlled by a central C&C server that sends commands. The botnet commands spread throughout the P2P overlay network in a P2P network. Botnets can be used for a wide range of distributed attacks, including extortion, piracy, and distributed denial-of-service (DDoS) attacks. Botnets were originally distributed via Internet Relay Chat (IRC), even though there are a lot more attack channels for them. Attack vectors include compromised websites, file-sharing networks, malicious email attachments, and vulnerability attacks. The proliferation of internet-connected pervasive devices gives botnets a larger attack surface and more susceptible hosts to infection. 3. Remote administrationThe process of remotely managing a network or computer system is known as remote administration. With remote administration tools, system administrators can access and control systems from any location with an internet connection. On a compromised system, however, the attacker can use remote administration tools to carry out C&C. For example, a hacker could gain access to a compromised system and use a remote administration tool such as VNC (Virtual Network Computing). After then, the malware may receive commands to carry out operations such as downloading additional malware, encrypting files, or returning stolen information to the attacker's command and control server. Sometimes, malicious actors will use legitimate remote administration tools that have been hacked or altered. For instance, they could use Remote Desktop Protocol (RDP), a popular remote administration tool, to log into a computer and carry out C&C. 5 Common Command-and-Control Techniques Hackers Use
Detecting and protecting against Command and ControlIn order to deal with C&C attacks, it's common practice to continuously monitor host computer activity and block known malicious domains. 1. Network-Based detectionMonitoring network traffic for indications of C&C activity is known as network-based detection. Communication patterns unique to C&C traffic between terminals and remote servers can be recognized by network-based detection technologies. For instance, if a server is communicating with numerous terminals and transmitting large amounts of data via a specific port, it may be possible to detect a C&C connection. The following are a few methods employed in network-based detection:
Machine learning can also be the foundation of detection techniques. Algorithms are used in machine learning-based detection to monitor network activity and spot behavioral patterns that indicate C&C activity. They detect patterns in C&C traffic that were previously unknown and adjust their attack strategies accordingly. 2. Host-Based detectionA host's activities are tracked as part of host-based detection. It can employ tools that keep an eye on:
For example, system logs can be used to identify unusual processes or increases in outgoing network traffic, which could indicate a C&C intrusion. Host-based detection tools include the following:
This technique is based on the observation that C&C attacks often involve the installation of malware or other malicious software on specific endpoints, which can be recognized by observing the activities of those endpoints. 3. BlacklistingBlacklisting operates in a literal manner: a list is created once malicious IP addresses, domain names, or URLs are noted. In order to lower the risk of compromise, traffic from these malicious domains is subsequently blocked using blacklisting tools. Real-time updates are also possible for this list. Blacklisting may consist of:
A safer website is redirected, or the request is permanently blocked when network traffic from a blocked IP address is detected. Real-world examples of Command and Control1. Banking Trojan: "TrickBot"TrickBots are frequently distributed through phishing emails and can be used to steal personal information, including banking credentials. TrickBot malware was used in several attacks against financial institutions in the US, UK, and Canada in 2019. Although security professionals and law enforcement worked together to bring down the TrickBot network, the malware's authors are still adapting and changing their tactics. Two essential defenses against this type of attack are multi-factor authentication and anti-malware software. 2. Botnet: "Mirai"The Mirai botnet was responsible for the massive DDoS attack that in 2016 disrupted internet access throughout the United States. Malware was used to infect susceptible Internet of Things devices, creating the Mirai botnet. 3. Malvertising: "Kyle & Stan"The 2014 discovery of the "Kyle and Stan" malvertising campaign serves as one illustration of how malicious advertisements can be presented on reliable websites in order to spread malware and steal personal data. The campaign consisted of advertisements that appeared to offer popular TV show streaming services, but when users clicked on them, a website that attempted to infect their computers with malware was displayed. The malware, which was designed to steal private data, was distributed through drive-by downloads. How Does a C&C Server Exploit a Compromised System?A compromised system can be exploited by a C&C server in the following ways: 1. Theft of personal information It is possible to copy or send sensitive company information, such as financial documents, to the website of an attacker. 2. Shutdown An attacker has the ability to disable one or more devices or the network of a company. 3. Reboot Regular shutdowns and reboots of infected systems can interfere with regular company activities. 4. Distributed Denial of Service DDoS attacks overwhelm servers or networks by overloading them with internet traffic. Each bot in the botnet can be instructed by an attacker to send a request to a particular IP address, clogging the targeted server's traffic. As a result, legitimate traffic to the attacked IP address is denied access, much like traffic clogging a freeway. This type of assault can bring down a website. 5. Using Fake Domains That Appear to Be Authentic One of the most common strategies for creating C&C servers is the use of domain names that replicate the typical naming of online advertisement services or websites pertinent to a current campaign or that resemble the pattern of authentic software or email services. How Do C&C Servers Conceal Their LocationAPT organizations frequently use intermediary servers to improve the stealth and availability of command and control servers (also known as proxies). These servers serve as proxies, hiding the actual location of the Command and Control server. One well-known method for hiding C&C locations is the use of dynamic DNS services like VoIP, DynDNS, and others. By registering domain names through these providers, attackers can stay anonymous, as no actual contact information is needed. Furthermore, IP mappings and domain names can be quickly changed in the event that the target's infrastructure blocks the original IP. Such domains enable this through short caching (TTL) settings. ConclusionCommand and control servers have grown in popularity in recent years, allowing organizations to gain greater visibility into their IT systems and manage them more efficiently. Security administrators can monitor and control infrastructure from a single, central location, which is one of their most helpful features. This enables them to promptly detect possible problems and implement solutions before they become a problem for consumers. Next Topic# |