Tags: CnC, Command-and-Control
Based on enterprise networks Damballa assessed over the past three months the answer is ‘very.’ Data collected during Network Security Checkups shows that more than 60% of the time, infected devices successfully connected with criminal control & command (C&C) servers. Read the complete report here.
Most enterprises guard the front door to prevent attackers from getting in while leaving the back door open. Devices must communicate with C&C to execute an attack and that happens at the egress points. To stop this activity, you must understand the criminal communications process and automate the detection of behavior indicative of an infected device.
The Criminal Communications Process: From Crimeware to C&C
The process begins with installation of a dropper on a device. Once successful, the shell code executes or the user clicks something and the dropper unpacks itself. While unpacking, the dropper disables local security and quickly catalogues the device looking for things like CPU speed, extent of Internet access, network activity, IP/MAC address, and more.
Next, the device reaches out to an updater site to confirm installation and identification. The cyber broker may already have a threat actor lined up for the infected device or they can shop it around to threat actors who want to get inside the impacted enterprise. The updater gives the device the location of the downloader site where the real malware agent is deployed. At this point in the process, if the network is only instrumented to detect malware files coming through the front door, compromise is inevitable.
The dropper reaches out to the downloader site and grabs the first tier malware agent(s). Typically a new, unique malware sample will be issued based on the identity of the enterprise and the threat actor’s motivation. If the infected asset is within an IP Block of interest to the criminals, the situation can get ugly fast.
The malware agent is usually encrypted and won’t be detected by any sandbox solution or other prevention tool. The dropper has the key to decrypt the payload and allow the new malware to install. The newly installed malware may or may not delete the dropper – it can remove all evidence or leave something behind to throw off investigators. For example, it may leave disposable components so responders think they’ve cleaned up the infection but they haven’t. The first tier malware agent now performs a bigger and better cataloguing of the victim device, in this case looking for data.
Once collected, there is a quick blast to a repository, which lets the operator know the infection was successful. The transmission includes stolen data, with any passwords, login credentials, interesting files or other items of value on the device.
The malware agent starts communicating to a front line array of C&C servers. Often, malware and domains are updated within a 22 hour timeframe because it usually takes Antivirus companies 24 hours to update their signatures.
This highly sophisticated and resilient process can take place over a couple of hours, days, weeks or months and include endless evasion cycles of malware updates and re-purposing. The timing is utterly at the discretion of the attacker. As soon as they have established communications with infected devices, your business risk escalates.
Enterprises must identify this activity and stay ahead of the attacker by pre-emptively redirecting the response of the infected device and quickly blocking access to discovered CnC to deny other devices attempting connections to prevent an outbreak. Blocking C&C communication attempts can prevent data theft.
Additional information about malware’s installation lifecycle can be found here.