Malware Command and Control – How it Works – Video Blog
Video – Command and Control – How it Works
Hey folks, I’m Chris Brenton. And in this video, I’m gonna walk you through command and control channels, what they are and how they work. So a command and control channel is how an attacker maintains access to a system that they’ve, uh, that they’ve compromised. So for example, I may have an internal user received an email, they click something they shouldn’t have malware gets installed on that system. The attacker cannot interact with that system directly because it’s typically sitting behind a firewall. So in order to be able to control that system, they’ll set up a command and control channel command and control channel works like this. The attacker sets up what’s referred to as a command and control server sometimes referred to as a C2 server. And it effectively acts as a proxy for the connection. The compromise system will call out to that commanded control server on a regular basis and say, Hey, I’m here.
I’m compromised. Do you have anything for me to do? If it’s nothing in its work queue, commanded control server tells it, Nope. Go back to sleep. It’ll pause for some period of time. Sometimes that time is variable, but it’ll pause for a period of time and then come back and check in again. So imagine our attacker wants to identify what processes are running on that system. What it would, what they’ll do is they’ll connect to the commander control server. They’ll submit something to the work queue. So they’ll say, Hey, I wanna run the task list command. Now the next time this system checks in and says, Hey, do you have anything for me to do? It’s told a yes, execute this task list. Command malware goes through runs. The task list. Commands takes the output from that command. Exfiltrate that data as part of that same connection sends that information up to the command and control server.
And now our attacker can retrieve it. This is our kind of classic command and control. This is how it’s worked for many years, but there are a number of variations off of this. One is to use DNS. DNS is kind of crafty because you don’t get any additional traffic leaving. The system that’s compromised. The way this works is our attacker goes out and registers some domain for the purposes of this example. Let’s just assume they register evil.com. And then what they do is they set up their C2 servers to be the authoritative name servers for that domain. So that means anybody trying to resolve something within that domain is gonna be talking to the C2 servers, probably know where this is going. Our malware then does a query for some resource within that domain sends that to the local DNS server. Usually a DNS forwarder that forwarder will do the work of figuring out where is that command control server located?
You know, where’s the authoritative name server for this domain, which happens to be the command and control server. And then it’ll send that request to that server. This request is effectively a coded message that says, Hey, I’m here. I’m compromised. Do you have anything in my work queue for me to do again? If our attacker wants to run the task list command, they simply submit that to the queue. When this system checks in the answer that comes back is a coded message that says run the task list, command that data will then be exfiltrated out typically over additional queries that take place after that.
So again, this one kind of crafty, because if we’re looking for additional traffic from the compromise system, we’re not gonna see it. It’s all funneling through DNS. Another variation off of this is to use social media. So this could be, uh, a Twitter account. This could be a LinkedIn account. And this particular example, I’m using a Gmail account, but any of any of those possibilities work, what the attacker does is when the malware gets installed in that system, it includes the ability to log into some specific social media account. Again, in this case here, we’re gonna say Gmail. So they’ll set up a Gmail account, this system, when it’s compromised, we’ll check into that account and it’ll check to see, does it have it any have any email, if it has any email, it processes that as commands that it should then go through and execute.
So now when our attacker wants to go through and run the task list command, all they do is they send an email to that specific email address. When the compromise system checks in sees, it’s got that email sees it needs to run the task list command it’ll run that command. It’ll then reply to the message with the exfiltrated data, which is the list of commands. Uh, the list of commands that are running a memory on that system. That’ll get sent to the attacker as an email, a command and control channel. We’re just starting the C pop up is attackers taking their command and control server and putting them behind CDN networks. This one’s pretty nefarious and it’s, it can be a challenge to try and run down. So in this case here, instead of talking to the C2 server directly, the C2 server is sitting behind a content delivery network.
So that’s a load balancing network run by some major provider could be Akamai, could be Amazon. We’ve seen it on a couple of different platforms. So what happens now is when this compromise system is calling out to say, Hey, do you have anything for me to do? It’s actually talking to multiple IPS within the CDN network. So we don’t have a connection going to a single IP anymore. It’s actually going to multiple IPS, which makes it easy, harder to track down with this persistency of the connection further, there’s gonna be legitimate companies using the same CDN network. So in the example of Akamai, you know, Microsoft is a major Akamai customer as well. So our windows systems are gonna be calling out to Akamai servers on a regular basis. Anyway, so now not only is that C2, sir signal broken up over multiple IPS, but mixed in with it is legitimate traffic.
So to figure out we’ve got C2 taking place here, we need a way to kind of collapse these IPS down to a single target to look for that persistency. And we also need to pull the legitimate traffic out of the way to be able to go in and identify this a C2 powder taking place. So again, this one can be a little bit more of a challenge. It is possible to solve it. I’ll go through, I’ll cover that in another video, but again, this is just a quick rundown on what type of C2 channels you might encounter.
More Threat Hunting Shorts
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.