The Evolution of C2 Communication: Custom TCP Protocols

Introduction

Command-and-control (C2, C&C or CNC) servers are used to remotely manage, control, and communicate with compromised systems within a network. They enable attackers to execute commands, exfiltrate and/or encrypt data for ransom, and coordinate other malicious activities. The effectiveness and reach of malware are significantly hindered, if not altogether eliminated, without C2 communication. According to some industry estimates, 60% to 70% of malware variants rely on C2 servers for communication. This statistic alone should give us an idea of how critical it is for security teams, and their tools, to be able to block and hunt for C2 traffic.

HTTP/HTTPS have traditionally been the go-to protocols for C2 communications over TCP because nearly all organizations rely on web traffic for legitimate purposes. The fact that HTTP/S traffic typically uses common ports (80 for HTTP and 443 for HTTPS), which are often permitted through firewalls, increases the chances of bypassing perimeter security.

Increasingly sophisticated detection methods are helping us to more easily identify well-known C2 communication methods. Unsurprisingly, attackers have adapted in response to our advances. Some of the tools in their updated arsenal include impersonating legitimate protocols, as well as using custom protocols, non-standard protocol/port pairings, and non-application layer protocols. One such technique our Malware Patrol team has noticed is the move toward the use of non-HTTP/S communication over TCP.

In this blog post, we’ll focus specifically on this trend seen in our data by exploring the implications for threat detection & response and providing mitigation strategies. For more general information about C2s, check out our previous blog post and MITRE ATT&CK’s Command and Control tactic topic.
 

Command-and-Control Channels: Many, Many TCP Options

Attackers’ ingenuity has brought about an impressive variety of C2 communication tactics. Their use varies depending on the capabilities of the malware being deployed, as well as the sophistication of the threat actor, their specific goals, the environment they’re targeting, and the need to avoid detection.

Below is an overview of the most common methods to establish C2 channels. Whenever applicable, we have included details about how TCP might be used to facilitate communication.

Most Used Protocols

1. HTTP/HTTPS:
   • HTTP/HTTPS are among the most common protocols used by C2 servers.
   • HTTPS adds encryption, making it more challenging to detect malicious activity without decryption and deep packet inspection.
   • TCP-related: HTTP/HTTPS traffic is transmitted over the Transmission Control Protocol (TCP), which ensures reliable delivery of data packets between the client (infected host) and the server (C2 server). TCP’s connection-oriented nature allows for proper sequencing of the communication stream, making it suitable for C2 communications that require reliable data transmission.
2. DNS:
   • DNS (Domain Name System) is often used for C2 communication because DNS queries and responses are typically allowed by firewalls and proxies. Threat actors can encode commands and data in DNS queries or responses, using techniques such as DNS tunneling.
   • TCP-related: While DNS queries typically use UDP (User Datagram Protocol) port 53 for quick and stateless connections, DNS can also operate over TCP, especially for larger queries and zone transfers. When DNS over TCP is used for C2 communication, it benefits from TCP’s reliability but might be easier to detect due to the less common use of DNS over TCP.
3. IRC (Internet Relay Chat):
   • Although less common now, IRC was historically popular for C2 communication, especially with early botnets. IRC’s simplicity and ease of use made it a favored choice, but its predictable traffic patterns have led to a decline in its use as defenders became more adept at detecting it.
   • TCP-related: IRC operates over TCP port 6667, providing a reliable connection for the C2 server to send and receive commands and data. The TCP connection ensures that messages are delivered in order, which is critical for maintaining the session’s integrity during the C2 communication.
4. FTP (File Transfer Protocol):
   • FTP is occasionally used to establish a C2 channel, especially in older or less sophisticated malware. It’s often employed for uploading stolen data from the infected host to the C2 server.
   • TCP-related: FTP uses TCP for establishing connections and transferring files. It typically operates over TCP ports 20 and 21. The reliable data transfer that TCP provides is essential for the successful upload and download of files between the infected host and the C2 server.
5. Email Protocols (SMTP/IMAP/POP3):
   • Email is used by some C2 frameworks, where commands are delivered via email messages, and the infected host sends its responses back via SMTP, IMAP, or POP3.
   • TCP-related: Email protocols such as SMTP, IMAP, and POP3 rely on TCP for reliable message delivery. TCP’s connection-oriented nature ensures that email messages, including those carrying C2 commands, are transmitted reliably and in order.

Additional Communication Methods

1. Social Media Platforms:
   • C2 traffic has been observed over social media platforms like Twitter, Facebook, and LinkedIn. Malware can embed commands in social media posts, hashtags, or comments, and the infected host can check these posts for instructions.
2. Steganography:
   • Steganography involves hiding commands or data within images, videos, or other files, which are then transferred via standard protocols (like HTTP or HTTPS). This method makes detection significantly harder since the payload is hidden within legitimate-looking content.
3. Peer-to-Peer (P2P) Networks:
   • P2P networks allow infected hosts to communicate with each other or with the C2 server without relying on a centralized server. This decentralization makes takedown efforts more complex and resilient to single points of failure.
   • TCP-related: P2P networks often rely on TCP to establish communication channels between nodes. TCP’s ability to provide error-checking and flow control is beneficial for maintaining stable connections in a decentralized P2P C2 infrastructure.
4. Tor and Other Anonymity Networks:
   • Tor and similar anonymity networks provide a layer of obfuscation for C2 traffic, making it more difficult to trace the source or destination of the communication.
   • TCP-related: Tor operates over TCP, providing a reliable and encrypted communication channel that obfuscates the source and destination of the C2 traffic. TCP’s role is crucial in ensuring the integrity of the hidden service connections within the Tor network.
5. Cloud Services:
   • Cloud services like Google Drive, Dropbox, and other legitimate file-sharing services have been exploited for C2 purposes. Commands and exfiltrated data can be stored or transferred through these services, blending in with normal, legitimate use.
6. Custom Protocols:
   • Advanced threat actors sometimes develop custom protocols specifically designed for their malware. These protocols can be tailored to evade detection by traditional security tools and often use encryption or obfuscation techniques to further complicate analysis.
   • TCP-related: Some custom protocols developed by advanced threat actors may be built on top of TCP to leverage its reliability and connection-oriented features. This allows for stable and dependable C2 communication while evading detection by traditional security tools.
7. Beaconing:
   • Beaconing is a method where an infected system periodically sends out signals (often very short and difficult to detect) to a C2 server to check in and await further instructions. These beacons can be transmitted via common protocols like HTTP/HTTPS, DNS, or even custom protocols.
   • TCP-related: Beaconing often uses TCP-based protocols like HTTP/HTTPS or DNS over TCP to ensure that the short, periodic signals sent by the infected system reach the C2 server reliably, despite their low visibility.

Emerging Trends in C2 Infrastructure

Emerging trends include the use of cloud-based serverless architectures by attackers for C2 infrastructure. This method enhances scalability and complicates the attribution of attacks to specific threat actors. Additionally, some advanced threat groups are experimenting with blockchain technology for C2 communication. Thanks to its decentralized nature, it helps attackers achieve greater resilience and anonymity.
 

The Shift to TCP

The use of TCP for C2 communications is driven by several factors. It is often chosen due to its lower visibility and detection risks. Attackers exploit TCP’s flexibility to create custom protocols or mimic benign services like SSH or FTP, making it harder for traditional security mechanisms to detect malicious activity. Additionally, using raw TCP helps attackers bypass web proxies that typically monitor HTTP/S traffic for suspicious domains or payloads. TCP also supports the implementation of custom, often encrypted, communication protocols, which further obfuscate the attackers’ activities and complicate defenders’ efforts to analyze and decode the traffic. And last but not least, TCP’s inherent reliability, with error-checking and recovery features, ensures persistent and stable connections, even over unreliable networks.

Real World Examples

It’s easy to speak in generalities about how to improve security, but seeing real world examples brings a much better understanding. They offer specifics that can be applied to security efforts and tools. To this end, we found resources related to how some malware families are making use of TCP, among other behaviors.

APT Groups

Several APT groups have been observed using TCP-based C2 communications. For instance:

1. APT29 (Cozy Bear)
   • Related Malware Families: WellMess, WellMail
   • C2 Communication: Both WellMess and WellMail are known to use custom TCP protocols to communicate with C2 servers. WellMess can use HTTP, HTTPS, and DNS for its C2 communication, and it supports mutual TLS (mTLS) for secure communications, which is atypical for many malware strains. The mTLS implementation requires both the server and the client to have certificates signed by the same Certificate Authority, making the traffic difficult to detect. Additionally, WellMail has been observed using TCP port 25 (typically associated with SMTP) for C2 communication, though it does not use the SMTP protocol, making it a non-standard use of this port, which can help evade detection.
2. APT41 (Winnti Group)
   • Malware Family: ShadowPad
   • C2 Communication: ShadowPad is a modular backdoor employed by APT41 that utilizes custom TCP protocols for C2 communication. This malware can operate across multiple protocols, including TCP, HTTP, HTTPS, UDP, and DNS, allowing it to blend in with normal network traffic and evade detection. The flexibility and modularity of ShadowPad make it a potent tool in APT41’s arsenal, enabling the group to perform various operations such as data exfiltration and lateral movement within compromised networks.
3. APT34 (OilRig)
   • Malware Family: Karkoff
   • C2 Communication: Karkoff, a backdoor used by APT34, employs custom TCP protocols to communicate with its C2 servers. The malware’s use of these protocols, often paired with encryption, allows it to operate under the radar of many network-based detection systems, complicating efforts to intercept or analyze the C2 traffic.

Malware Analyses: A Deep Dive

The following linked articles offer an analysis of the malware family, including its C2 communication methods.

– DBatLoader
– Gafgyt
– NanoCore RAT
– njRAT
– QuasarRAT
– Risepro
– Socks5systemz
– SystemBC
– Tsunami (Muhstik)
 

What the Data Says

Malware Patrol has been offering a C2 servers addresses data feed for well over a decade. This lengthy history gives us a unique and authoritative perspective on the landscape of C2 communications. For this post, we used our data from August 2024, as well as some historical data, to make observations about the current landscape.

TCP is by far the most prevalent protocol being used.

The most common ports are the following:

To learn more about these ports, including the services and malware that use them, the resources provided by SANS ISC and SpeedGuide.net are very informative.

We regularly resolve DNS for command-and-control servers and the resulting IPs are added to our Malicious IPs feed. In August 2024, the following IPs were found to be hosting multiple (75+) C2s:

For a big picture view of C2 protocol trends, we looked at Malware Patrol’s data from the last decade (charted below). This visual representation clearly demonstrates the steadily increasing use of the TCP protocol, along with a decrease in the use of HTTP/S. UDP use remains minimal, and FTP so negligible that it didn’t show up in the numbers once they were rounded up.

 

Further breaking down the data, we see that many of the most active and well-known malware families are predominantly using TCP, with just a few exceptions.

 

For the following families, we have only TCP-based C2 server addresses as of August 2024:

 

Monitoring and Detecting TCP-Based C2 Communications

Detecting TCP-based C2 traffic requires some shifts in monitoring strategies, but first of all, and as always, the foundational basics of security should be well implemented. Then, security teams must enhance their visibility into network traffic and apply more sophisticated analysis techniques to identify potential threats. Here are some strategies to consider:

1. Broaden Network Traffic Monitoring: Ensure that all network traffic, not just HTTP/HTTPS, is subject to scrutiny. This includes monitoring for unusual activity on non-standard ports and paying attention to any TCP connections that do not align with normal network behavior.
2. Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. By segmenting critical assets and enforcing strict access controls, you can reduce the impact of a compromised system establishing a TCP-based C2 channel.
3. Strict Egress Filtering: Apply egress filtering on firewalls to restrict outbound traffic. Only allow necessary TCP connections and restrict connections to known IP addresses and ports. This can prevent compromised systems from establishing C2 connections to external servers.
4. Behavioral Analysis: Implement network behavioral analysis (NBA) tools to detect anomalies in TCP traffic. These tools can identify unusual patterns, such as long-duration TCP connections, unexpected data transfer volumes, or irregular communication intervals, which may indicate C2 activity.
5. Deep Packet Inspection (DPI): Utilize DPI to inspect the contents of TCP packets. Although attackers may use encryption or obfuscation, DPI can help identify suspicious payloads or metadata within TCP streams that deviate from known legitimate traffic.
6. Endpoint Detection and Response (EDR): EDR solutions can provide visibility into the processes and connections initiated on endpoints. Correlating endpoint activity with network traffic can help identify suspicious TCP connections originating from compromised devices.
7. Anomaly Detection with Machine Learning: Machine learning-based anomaly detection systems can be trained to recognize deviations in TCP traffic. These systems can learn what normal traffic looks like and flag communications that fall outside the expected parameters, such as unexpected ports or communication patterns.
8. Threat Intelligence Integration: Incorporate threat intelligence feeds that provide indicators of compromise (IOCs) related to TCP-based C2 activity. These IOCs can include IP addresses, domains, and port numbers associated with known threat actors, helping to identify malicious connections.
9. Deception Techniques: Deploy deception technologies such as honeypots and honeytokens to lure attackers into revealing their TCP-based C2 channels. These tools can provide valuable insights into attacker behavior and help identify the methods used to establish C2 connections.
10. Advanced Threat Hunting: Engage in proactive threat hunting to identify and mitigate TCP-based C2 channels. Threat hunters can search for indicators of TCP-based C2 communications by analyzing network logs, correlating endpoint activity, and utilizing threat intelligence.
11. Regular Security Audits: Conduct regular security audits to assess the effectiveness of your defenses against TCP-based threats. Audits should include testing your ability to detect and respond to TCP-based C2 communications, as well as reviewing network configurations and access controls.
12. Employee Training and Awareness: Educate employees about the dangers of phishing and other social engineering tactics used to compromise systems. Many TCP-based C2 channels are established after an initial infection, often delivered via email or malicious websites. By raising awareness, you can reduce the likelihood of a successful compromise.

 

Conclusion

Ultimately, the key to mitigating the risk posed by TCP-based C2 communications – or any threat – lies in continuous vigilance, adaptability, and a commitment to staying informed about the latest developments in the threat landscape. As C2 communication tactics continue to evolve, organizations that are proactive in their approach to cybersecurity will be best positioned to detect, respond to, and prevent these emerging threats.

For an additional layer of protection, Malware Patrol offers a C2s data feed that covers the latest malware campaigns and families. It is offered in formats compatible with most industry tools and platforms for simple integration with your existing security stack. We offer a free evaluation. Find out more here.

Indicators of Compromise

Frequently Seen C2 Server IPs – August 2024

3.64.4.198
3.67.161.133
3.125.188.168
3.126.224.214
18.158.58.205
18.197.239.109
18.229.146.63
35.158.159.254
154.248.27.182
209.25.141.212

Most Popular C2 Communication Ports – August 2024

23
2404
4444
7443
8443
8848
8888
31337
50050
60000