fbpx
Let yourself think from the perspective of a hacker...
 
You won't be happy or content with infecting just a machine of the targeted network. Will you? Of course not. Once you have gained an initial foothold, then you would want to pivot, infect and control other machines of the network too. This is when you would need a robust C&C communication with all those infected machines (called Zombies or bots). Your C&C would help you to maintain a persistent presence and to exfiltrate some valuable data later. You can control all zombie-machines via remote C&C.
 
 
 
-
 
👉 What is C&C?
 
Command and Control (C2 or C&C) is the method that is used by attackers to maintain communications with systems which they have already compromised, within a network of targeted entity.
 
You already know that all such systems, when are taken together, are called botnet.
 
The idea behind the modern botnet is that -- It would become a collection of compromised workstations and servers that are distributed over the public Internet and they jointly serve the agenda of a malicious threat-actor.
 
In recent times, botnet creators and botnet-administrators (read, attackers) have become more & more sophisticated and they can use various methods to issue commands to malware-compromised workstations in the targeted network. However, the most basic system worked something like this in past:
 
  1. One command and control (C&C) server is established by threat-actors
  2. Then this C&C server communicates with a theoretically infinite botnet via IRC (Internet Relay Chat) commands.
  3. Then whole network of bots carries out activities they have been commanded for.
 
Since IRC is no longer being much used in organisations, attackers are now communicating via HTTP/HTTPS primarily. Using HTTP/HTTPS allows the adversary to bypass your firewalls/network-based detection systems and to blend in with the legitimate web traffic. Malware may sometimes use a protocol such as P2P for C2 communication. Some malware have also used DNS tunneling for C&C communications.
 
-
 
👉 What Can Hackers Accomplish Through Command and Control?
 
  • Your sensitive company data, such as financial documents, intellectual properties, other confidential info, etc can be copied or transferred to an attacker’s server.
  • An attacker can shut down one or several machines, or even bring down your entire network.
  • Infected computers may suddenly and repeatedly shutdown and reboot, which can disrupt normal business operations of your company.
  • DDoS attacks overwhelm server or networks by flooding them with internet traffic. Once a botnet is established, an attacker can instruct each bot to send a request to the targeted IP address, creating a jam of requests for the targeted server. The result is like traffic clogging a highway – legitimate traffic to the attacked IP address is denied access. This type of attack can be used to take your website down. I have already explained this whole DDoS thing in a recent post too...
 
-
 
👉 How Do These C&C Operate?
 
What specific mechanism will be used by the attackers? It may potentially vary a great deal. But C&C generally consists of one or more 'covert communication channels' between devices in a victim organization and a platform that the attacker controls.
 
These communication channels would then be used to issue instructions to the compromised devices, download additional malicious payloads, and pipe stolen data back to the adversary.
 
This is the reason that C&C comes in many different forms. You may want to know that the MITRE ATT&CK framework lists 16 different C&C techniques, each with a number of sub-techniques that have been observed in past cyberattacks.
 
However, their most common strategy is to blend in with other types of legitimate traffic that may be in use at the target organization, such as HTTP/HTTPS or DNS. Attackers may take other actions to disguise their C&C callbacks, such as using encryption or unusual types of data encoding. You should not wonder much, if you find any advanced adversary is found using a custom-made protocol for its C&C communications.
 
Popular platforms used by criminals and penetration testers alike include Cobalt Strike, Covenant, Powershell Empire, and Armitage. Currently there are more than 10,000 C&C operating over there on internet…
 
Most modern malwares are designed for C&C communications by attackers. As these malwares will be beaconing to their respective C&C servers, at regular or pre-scheduled intervals of time.
 
Beaconing basically is the process of an infected machine/device phoning home to an attacker’s C2 infrastructure to check for new instructions or additional payloads, often at regular intervals. To avoid detection, some types of malware beacon at random intervals, or may lie dormant for a period of time before phoning home. It makes detecting them even harder...
 
You already know that most modern NGFWs are capable of filtering out the malicious traffic coming from outside. But they can also be relaxed to filter out the traffic emanating from inside the network itself.
This outbound communication is also not as heavily monitored or restricted. This means that--when a malware is introduced through a different channel, e.g., a phishing email or compromised website, it can often establish a channel of communication in the outbound direction that would otherwise be impossible. With this channel open, a hacker can carry out additional actions.
 
They can move laterally throughout the network of victim organisations. They can carry out multi-staged cyber-attacks. This model also allows an entire decentralized industry of cybercrime. An initial access group may sell access to a prime target like a bank or hospital to a ransomware gang, for example.
 
------------------------------------
DO YOU WANT AN EXAMPLE?
------------------------------------
I found an old example at least...
 
The Gameover ZeuS botnet malware package that ran on Microsoft Windows, was originally discovered in 2007. It operated for over three years in just this fashion, eventually leading to an estimated $70 million in stolen funds and the arrest of over a hundred individuals by the FBI in 2010. And it wasn’t until March 2012 when Microsoft announced it had succeeded in shutting down the “majority” of C&C servers. Lesson is simple that botnet can survive and persist longer than you expect them to.
 
Other types of instructions can also be issued to zombie machines over C2. For example, large crypto mining botnets have been identified. Even more exotic uses have been theorized in recent times, ranging from using C2 commands to disrupt elections, or manipulate energy markets.
 
-
 
👉 What Are Main Methods for Command and Control?
 
In past, hackers mostly used centralized version of C&C model. In this model, the single C&C server would be used to send instructions (Commands). But these C2 servers were relatively easy to detect, hence would be shut down fairly quickly.
 
To combat this, modern malware is often coded with a list of many different C2 servers to try and reach. It can have even a list of 100+ servers pre-coded in the malware itself. Malware will send beacon to each server one after the another, till it gets a response.
 
Malware has been observed fetching a list of C2 servers from GPS coordinates embedded in photos and from comments on Instagram.
 
It is quite common that many attackers use Peer-to-Peer method of communications. In this method, one bot will receive the instructions from the C2 server, and then relay this set of instructions to other bots in the botnet. There may or may not be a central node...Sometimes attackers use this P2P method, as a fallback option, if original centralized method is disrupted.
 
A number of unusual techniques have also been observed for issuing instructions to infected hosts. Hackers have made extensive use of social media platforms, e.g., Facebook, as unconventional C2 platforms because they are rarely blocked.
 
A project called Twittor aims to provide a fully functional command and control platform using only direct messages on Twitter.
 
Hackers have also been observed using Gmail, IRC chat rooms, and even Pinterest to issue C&C messages to compromised hosts.
 
-
 
Kindly write 💚 your comment 💚 on the posts or topics, because when you do that you help me greatly in ✍️ designing new quality article/post on cybersecurity.
 
 

This Article Was Written & published by Meena R,  Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India. 

Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...

She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms. 

30,000+ professionals are following her on Facebook and  mesmerized by the quality of content of her posts on Facebook. 

If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:

Click Here to follow her: Cybersecurity PRISM