The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
The Open System Interconnection (OSI) model is the conceptual framework used to understand and standardize the functions of networking. The OSI model is divided into seven layers, each responsible for specific tasks related to data communication between devices on a network. The topmost layer in the OSI model is the Application Layer, and the protocols that live in this layer are called Application Layer Protocols. These protocols define the rules that ensure the interoperability and compatibility of diverse software applications across different platforms and networks. Adversaries exploit the Application Layer Protocols to stealthily infiltrate systems, exfiltrate data, and maintain persistent access by blending with legitimate traffic.
In this blog, we explain the T1071 Application Layer Protocol technique of the MITRE ATT&CK® framework and how adversaries employ its sub-techniques in attack campaigns in detail.
Download the Red Report - Top Ten MITRE ATT&CK Techniques
Adversary Use of Application Layer Protocol
Application Layer Protocols, when used by cyber adversaries, serve as a crafty means to conduct their operations discreetly, often blending with regular network traffic to evade detection. The core of this strategy lies in embedding malicious commands and data within the traffic of commonly used protocols. This approach is not limited to any protocol type; adversaries can leverage a range of protocols, each chosen for its prevalence and perceived innocuity within a specific network environment.
For instance, protocols associated with web browsing, file transfers, email communications, or DNS queries are prime candidates for this technique. The traffic generated by these protocols is so commonplace in network environments that the malicious activities can effectively hide in plain sight. In more confined network segments, like within corporate enclaves, protocols such as SMB (Server Message Block), SSH (Secure Shell), and RDP (Remote Desktop Protocol) are more likely to be used. These protocols are typical in internal network communications, especially where remote access or file sharing is a regular activity. By manipulating these protocols, attackers can not only issue commands to compromised systems but also exfiltrate data or even move laterally across the network, all while maintaining a low profile and avoiding the scrutiny of network security systems.
Sub-techniques of T1071 Application Layer Protocol
T1071.001 Web Protocols
Web protocols are rules and standards that govern how data is transmitted over the internet, with HTTP and HTTPS for web access and WebSocket for real-time communication. They ensure efficient, secure, and structured data transfer. Adversaries target these protocols due to their ubiquity and integral role in Internet communications, making malicious activities harder to detect.
Adversaries increasingly exploit web protocols like HTTP/S and WebSocket for covert command-and-control operations. The ubiquity of these protocols in network environments allows malicious traffic to blend seamlessly with legitimate communication, reducing suspicion. HTTP/S, with its complex structure of fields and headers, provides a conducive environment for embedding commands and data exfiltration, facilitating discreet remote system control. Incorporating HTTPS encryption further obscures these activities, challenging network monitoring tools' ability to detect anomalies. Additionally, WebSockets are utilized for their persistent, low-latency connections, ideal for continuous, stealthy communication with compromised systems. This approach effectively circumvents traditional network defenses, which are generally less effective against sophisticated web-based communication methods.
For instance, the Truebot malware, as disclosed by CISA in July 2023 as part of its cyber threat operations [1], utilizes HTTP POST requests to establish C2 communications with compromised systems. This technique involves sending collected data, such as system and domain names, from the infected host to a hard-coded URL embedded within the malware. The POST request, a standard web protocol method, is effectively exploited by Truebot to set up bi-directional communication channels discreetly. This enables the malware to receive additional malicious payloads, replicate across the network, and execute further operations while maintaining stealth.
In another example, as revealed in CISA's cybersecurity advisory (AA23-075A) in June 2023, LockBit 3.0 utilizes the ThunderShell tool, which facilitates remote access via HTTP requests [2]. This capability allows LockBit affiliate actors to access systems while encrypting network traffic remotely.
Moreover, as disclosed in June 2023, the cyber espionage group MuddyWater, recognized as part of the Iranian Ministry of Intelligence and Security, has been deploying its new custom-made C2 framework, PhonyC2, in ongoing cyber operations. This framework, continuously refined since its inception in 2021, marks an evolution from their previous MuddyC3 framework.
Notably, in their recent attacks, including the one on the Technion Institute, MuddyWater utilized PhonyC2 to leverage HTTP web protocols for downloading obfuscated payloads [3]. This method, exemplified by the use of a seemingly innocuous HTTP link, highlights their sophisticated approach to evading detection.
hxxp://<adversary’s_C2_Server>:443/9b22685e-f173-4feb-95a4-c63daaf40c58.html?X9GFTRD6OZE=X9GFTRD6OZ |
This strategy, along with their primary reliance on social engineering for initial system access, emphasizes the need for organizations to bolster system security and carefully monitor PowerShell activities to mitigate these threats.
In September 2023, CISA's cybersecurity advisory (AA23-263A) revealed another use of web protocols for C2 purposes, shedding light on the tactics employed by Snatch ransomware threat actors [4]. These attackers establish persistence within a victim's network by initially compromising an administrator account. They subsequently establish connections over port 443, following technique T1071.001, to communicate with a C2 server. Notably, this server is hosted on a Russian bulletproof hosting service. This strategy showcases the clever utilization of secure communication channels to avoid detection while maintaining control over the compromised systems.
T1071.002 File Transfer Protocols
File Transfer Protocols, such as SMB, FTP, and TFTP, facilitate file sharing across networks by embedding data within headers and content. Although these protocols are widespread, they are also vulnerable. Adversaries can exploit them to covertly control compromised systems, disguising their malicious activities as regular network traffic. This allows them to evade detection by taking advantage of the protocols' inherent complexities and widespread use.
Adversaries exploit file transfer protocols like SMB, FTP, FTPS, and TFTP for malicious activities by blending their communications with regular network traffic, making detection difficult. These protocols inherently contain numerous fields and headers, which can be manipulated to conceal malicious commands and data. This method is particularly effective for command and control operations, allowing attackers to discreetly maintain communication with compromised systems. They can also use these protocols to transfer malware or exfiltrate data, all while appearing as regular file transfer traffic.
For example, in August 2023, it was revealed that the Disco malware, linked to the MoustachedBouncer group, uses an advanced method involving the SMB protocol for file transfers and C2 operations [5]. Initially, victims are led to a deceptive Windows Update page, where they unknowingly download a dropper written in Go. This dropper then sets up a scheduled task to run a file called "OfficeBroker.exe" every minute. This file is obtained through an adversary-in-the-middle (AitM) attack on an SMB share.
\\<SMB_Server>\OfficeBroker\OfficeBroker.exe |
Although the exact nature of "OfficeBroker.exe" is not fully known, it's likely a downloader pulling additional plugins from SMB shares. These plugins, also written in Go, execute various tasks, including data exfiltration, again utilizing SMB shares. This approach effectively hides the C2 server from external observation and makes the network infrastructure of the attackers resilient, as the C2 server is not directly accessible from the internet.
As another, in June 2023, the CISA released cybersecurity advisory AA23-165A, highlighting that LockBit affiliates are utilizing FileZilla for data exfiltration. This tool allows adversaries to transfer data over FTP directly to the servers or hosts controlled by LockBit affiliates [2].
T1071.003 Mail Protocols
Mail protocols like SMTP/S, POP3/S, and IMAP facilitate electronic mail delivery and are ubiquitous in many environments. Adversaries exploit these protocols, embedding commands and data within emails or protocol fields to covertly communicate with compromised systems. This method effectively camouflages malicious activities, raising concerns about adversaries targeting these protocols for stealthy network infiltration.
Adversaries increasingly target email protocols such as SMTP, IMAP, and POP3 for C2 communications. These protocols, integral to the sending and receiving of emails, are exploited to relay commands to compromised systems and exfiltrate sensitive data discreetly. The attackers often use email attachments or hijack legitimate email accounts, including self-registered or compromised ones, to conduct their operations. This tactic allows them to blend in with regular email traffic, avoiding detection.
Uncover the Top 10 MITRE ATT&CK Techniques
1. Stealthy Data Exfiltration with SMTP
In August 2023, in an SMTP-based attack carried out by the NightClub malware, adversaries used a sophisticated method for data exfiltration [5]. This technique involves encoding sensitive files in base64 format, which are then appended as attachments to SMTP emails. The malware uses hardcoded and Linear Congruential Generator-encrypted credentials to authenticate with the SMTP server, smtp.seznam.cz. The emails sent from a sender to a recipient address created by the attackers feature a unique aspect in their headers: default X-Mailer headers, precisely mimicking 'The Bat!' email client, common in Eastern Europe. This choice of X-Mailer header is strategic, designed to blend malicious emails with regular traffic, thereby reducing the likelihood of detection. By leveraging these specific headers and the SMTP protocol, NightClub effectively camouflages its exfiltration activity, turning standard email components into tools for stealthy data theft.
2. SMTP Abuse for Multiple Covert Actions
Rather than leveraging a single technique, adversaries can abuse SMTP for multiple malicious actions. For instance, in December 2023, Barracuda disclosed that UNC4841 threat actors deployed new variants of SEASPY and SALTWATER malware into a limited number of ESG devices to exploit the CVE-2023-7102 vulnerability [6]. When analyzed, these malware variants were found to utilize SMTP for malicious actions.
For instance, the SALTWATER malware embedded in the Barracuda SMTP daemon (bsmtpd) exemplifies a sophisticated abuse of the SMTP protocol. It integrates backdoor functionalities within the SMTP framework, enabling command execution, file uploads/downloads, and advanced proxying or tunneling capabilities. These activities are facilitated through the targeted manipulation of SMTP-related system calls. By embedding itself within the SMTP service, SALTWATER operates covertly, mimicking legitimate SMTP traffic to evade detection, thereby demonstrating a nuanced exploitation of SMTP for malicious objectives.
On the other hand, SEASPY malware [7], disguised as a legitimate Barracuda Networks service, specifically targets SMTP traffic on port 25, the standard port for SMTP communications. By establishing itself as a PCAP filter, SEASPY monitors and manipulates SMTP traffic, activating its backdoor functionalities upon detection of certain triggers within the SMTP traffic. This strategy illustrates a sophisticated approach to exploiting the SMTP protocol, using it not just for communication but also for initiating malicious activities covertly.
Finally, the SEASIDE malware operates as a Lua-based module for the Barracuda SMTP daemon [6]. It monitors SMTP HELO/EHLO commands, a fundamental part of the SMTP handshake process, to receive C2 instructions. These instructions are then used to establish reverse shells, effectively turning standard SMTP protocol commands into gateways for unauthorized remote access.
3. Discrete Remote Code Execution with IMAP
The following example is not related to SMTP but uses the IMAP protocol. As disclosed in December 2023, In the Ukrainian cyberattack, Russian hackers adeptly employed the IMAP protocol for command execution [8]. The critical component of this strategy was the OCEANMAP backdoor, a C# based malware. It ingeniously used IMAP to receive commands hidden within base64-encoded email drafts. This method allowed for discreet command execution, bypassing typical security detections. Additionally, OCEANMAP included the following abilities:
- A configuration update mechanism.
- Enabling the malware to patch and restart its backdoor executable files.
- Ensuring continued access and control.
For persistence, it created a "VMSearch.url" file in the Windows startup directory, thereby ensuring its activation upon every system start. This sophisticated use of IMAP for both receiving commands and updating its configuration illustrates a complex and covert approach to maintaining control over compromised systems.
T1071.004 DNS
The Domain Name System (DNS) translates domain names to IP addresses, which is crucial for Internet navigation. Adversaries exploit DNS for its ubiquity to hide malicious communications within normal traffic. By embedding commands in DNS queries, they conduct undetected activities, leveraging the protocol's common use and capacity to mask nefarious payloads in regular network exchanges.
Adversaries can exploit the DNS in various sophisticated ways beyond just tunneling. By embedding commands and data in DNS queries and responses, they can communicate covertly with compromised systems. Techniques include using DNS-over-HTTPS for encrypted communications, DNS dribbling, and encoding data into DNS requests and responses for stealthy data transmission. These methods allow attackers to blend malicious activities with regular network traffic, often bypassing conventional network security measures.
1. DNS-over-HTTPS for Encrypted Communications
Advanced attackers may prefer to leverage this technique to mask their malicious network traffic, performing stealthy command and control communication. For instance, in June 2023, the 'ChamelDoH' malware developed by the Chinese threat group 'ChamelGang' leveraged DNS-over-HTTPS for encrypted communication with command and control servers [9]. This method uses encrypted DNS queries, traditionally unencrypted, making them indistinguishable from regular HTTPS traffic and difficult to monitor for malicious activity. ChamelDoH configures DoH queries with encoded data, enabling stealthy, secure communication and command execution between the infected device and the attackers' servers.
2. DNS Query Dribbling for Defense Evasion
DNS query dribbling is a technique in which a large DNS query is fragmented into smaller, inconspicuous parts that evade detection or DNS filtering. For example, in April 2023, the Decoy Dog malware toolkit was disclosed, showcasing a sophisticated DNS attack mechanism uncovered through a detailed analysis of DNS queries [10]. This toolkit employs DNS query dribbling, a technique. These parts are later reassembled at their destination, forming the original query that typically triggers security alerts. Combined with strategic domain aging, Decoy Dog creates a facade of legitimacy, enabling it to conduct command and control operations discreetly.
3. Leveraging Both Encoding and Fragmentation
Adversaries may combine encoding and packet fragmentation techniques to provide even stealthier communication. For instance, as disclosed in CISA's cybersecurity advisory (AA23-129A) released in May 2023, Snake malware employs a sophisticated method for outbound and inbound communications using DNS queries [11]. Outbound, it encodes data into DNS requests by converting byte arrays into base32 text, using a combination of digits and lowercase letters, with certain characters representing the same value. This encoded data is inserted before the first '.' in a domain-like string, sent via the gethostbyname function, appearing as standard DNS queries. Inbound, Snake interprets the IPv4 addresses in DNS responses as covert data. It sorts these addresses by the highest order nibble and extracts the encoded data from the remaining 28 bits. This strategy enables Snake to establish a concealed, low-bandwidth communication channel using DNS while it resorts to custom HTTP and TCP protocols for higher bandwidth needs.
References
[1] “Increased Truebot Activity Infects U.S. and Canada Based Networks,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a.
[2] “Understanding Ransomware Threat Actors: LockBit,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a.
[3] “PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater,” Deep Instinct, Jun. 29, 2023. Available: https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater.
[4] “#StopRansomware: Snatch Ransomware,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a.
[5] A. Goretsky, “MoustachedBouncer: Espionage against foreign diplomats in Belarus.” Available: https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/.
[6] “Barracuda Email Security Gateway Appliance (ESG) Vulnerability,” Barracuda Networks. Available: https://www.barracuda.com/company/legal/esg-vulnerability.
[7] “[No title].” Available: https://www.cisa.gov/sites/default/files/2023-08/MAR-10454006.r4.v2.CLEAR_.pdf.
[8] B. Toulas, “Russian military hackers target Ukraine with new MASEPIE malware,” BleepingComputer, Dec. 28, 2023. Available: https://www.bleepingcomputer.com/news/security/russian-military-hackers-target-ukraine-with-new-masepie-malware/.
[9] B. Toulas, “Chinese hackers use DNS-over-HTTPS for Linux malware communication,” BleepingComputer, Jun. 14, 2023. Available: https://www.bleepingcomputer.com/news/security/chinese-hackers-use-dns-over-https-for-linux-malware-communication/.
[10] B. Toulas, “Decoy Dog malware toolkit found after analyzing 70 billion daily DNS queries,” BleepingComputer, Apr. 23, 2023. Available: https://www.bleepingcomputer.com/news/security/decoy-dog-malware-toolkit-found-after-analyzing-70-billion-daily-dns-queries/.
[11] “Hunting Russian Intelligence ‘Snake’ Malware,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a.