Hacking Book | Free Online Hacking Learning


c2 architecture in apt attack

Posted by harmelink at 2020-02-27

0x00 Preface

Last month, I was obsessed with something. The blog that I plan to send at the end of this month has been put on hold until now. This blog wants to talk about some interesting C2 architectures in APT attacks.

In the long-term offensive and defensive confrontation, C2 technology is also changing. This blog has been updated for a long time. In the future, we will see a new C2 architecture, and then add it.

0x01 what is C2

C2 is called command and control. In Chinese semantics, it is not only a verb but also a noun. In addition to apt, C2 is also widely used in botnet. C2 in this paper is only for apt scenarios.

Explain as a verb:

Explain the terms:

What's the usage?

Any network intrusion can be divided into seven stages: exploration, weaponization, load delivery, vulnerability utilization, dwell, command control and malicious activity (kill chain model). After the computer is invaded, C2 channel is often set up in the network. Apt attacks usually do not aim at destruction. They are basically eavesdropping and monitoring. Therefore, apt malware needs to establish C2 channel for manual interaction rather than automatic activity. This is the first use: command distribution.

In some way, the attacker broke through the defense boundary, or exploited the loopholes, or fished, or disguised as a social worker. In any way, the load of delivery will not be too large, limited by space, usually through the network pull two sections of expand to stay. Secondly, apt malware, with spyware properties, will return some files or data when it is active. This is the second use, resource distribution and data upload.

C2 architecture can also be understood as the way in which malware obtains resources and commands, as well as the way in which data is returned to the attacker.

0x02 C2 Technology


Http / HTTPS is the most common C2 architecture. The advantages are as follows:

Taking office phishing as an example, the attacker uses cscript, Wscript or PowerShell to pull the back door from the remote HTTP server for installation and execution through malicious macro or vulnerability exploitation. This kind of HTTP attack strategy accounts for 90% of known apt events.

Because HTTP is a clear text transmission, when malicious software uploads data, it will often process the content, such as Base64, XOR; those with higher strength will use asymmetric encryption algorithm for processing.

But HTTP communication needs IP or domain name. If the asset is pulled into the blacklist, it can be easily detected by IDS. Therefore, some apt malware uses DGA generation algorithm.


DGA is widely used in botnet and apt attack.

Attackers can generate pseudo-random strings that are used as domain names, varying according to time or other seed factors. According to the algorithm, the attacker can determine the domain name being requested for registration and resolution. This dynamic domain name can avoid the blacklist security policy. Increase the difficulty of finding attacks. Apt28, apt32 and apt34 have all used this technology.

Take an attack of apt34 as an example (hash: bbde33f5709cb1452ab941c08acc775e):

The sample is a PowerShell script. According to the code logic, the generated domain name consists of six parts, mumbai-m.site and B007 are fixed parts, and the rest changes dynamically according to host information, network information and request times.

mumbai-m.site B007

DNS tunneling technology

Just now, we talked about the bypass of DGA to blacklist, but we have to go HTTP after all. What is the way to avoid HTTP traffic audit and not easy to find?

DNS tunneling technology is very suitable.

See here for related concepts.

DNS server performs hierarchical query according to the level of domain name. The so-called "hierarchical query" starts from the root domain name, queries the NS records of each level domain name in turn, until the final IP address is found.

DNS tunneling technology is to use the characteristics of DNS layered query. For example, how to use tunneling technology at exploit.pi4net.com:


The DNS server receives the request to query expand.pi4net.com, and first tries to find the domain extension.com, and then find pi4net.com, but it cannot find expand.pi4net.com in its database. It will forward the request to pi4net.com, and ask if it knows the record of this domain name. At this time, pi4net.com can return the IP of the query to exploit.pi4net.com; it can also return any string, which can be used as C2 instruction. Although the default space is 60 characters, the protocol itself and DNS server configuration allow the data space to exceed this limit.

exploit.pi4net.com .com pi4net.com exploit.pi4net.com pi4net.com pi4net.com exploit.pi4net.com

This technology is relatively rare in APT attacks, and trojan.win32.ismdoor.gen Trojan has used this technology.

For the analysis of the malware family, move here.


FTP is similar to HTTP, mainly for multi-stage payload distribution and data upload. As common as HTTP. Apt 28, apt 37, apt 38, etc. are often used. The technical threshold is low, so we will not repeat it.

Social platform

In addition to protocol layer communication, web application can also be used as C2 architecture. At present, we see many actors building C2 through Facebook, twitter and other social platforms. This C2 using social platform is easy to build, and all instructions are encapsulated in encrypted platform communication. It is easy to bypass blacklist and traffic audit.

Take rokrat malware for example. In an apt attack, twitter was used to issue C2 commands:

In a sample (hash: 0332841a9c8edbbad3422a0ae82566), seven different twitter API tokens (including consumer key, consumer secret, token and token secret) were found. Malware checks the last message on Twitter's timeline to receive instructions, including executing commands, moving files, deleting files, terminating processes, downloading and executing files.

In this way, it is highly hidden and difficult to find threats from traffic. But the limitation is also obvious. It can only transfer simple instructions for resource distribution, and data upload is not very good. Malware uses the twitter API to post tweets. After the resource is encrypted, Base64 will be distributed in the form of string?

Various cloud discs

The social platform is mainly used for instruction distribution. In the similar attack strategy, actor will use cloud disk to distribute resources.

Cloud disk is similar to social platform, with strong concealment and hard to find. The difference is that one is often used for instructions and one for resources.

It is also rokrat. In some variants, cloud disk is used as the data upload address.

In a sample (hash: 7a751874ea5f9c95e8f0550a0b93902d), there are four built-in addresses of foreign network disks, namely pcloud, box, Dropbox, yandex; decrypt the API key of the cloud disk, and upload data to the network disk using the API:

Insert here, similar to the cloud disk, the karae malware used by apt 37 is distributed through torrent. This method has only seen a few cases in 2016, which is relatively rare.


The previous several, common in PC and mobile terminals, naturally have unique C2 mode. For IOS, in July 2018, there was a unique example of using MDM. The attacker deployed an open source mobile device management (MDM) system to control the registered device. See the concept of MDM here. In short, with MDM server, applications can be deployed on IOS devices. The attacker uses boptions side loading technology to add functions to legitimate applications, mainly IM software WhatsApp and telegram, and then MDM is deployed to the target device to obtain communication records, SMS information, various application data and chat records.

The security of IOS without escaping from prison is very high, so it's a surprise to use MDM to obtain the installation permission. But there are two difficulties in this attack:

The default enterprise developer account does not have the MDM service, so it needs to apply for the MDM service to become a vendor, which undoubtedly increases the cost of attacker attack.

The victim needs to trust the certificate issued by the attacker. Click Settings - > General - > device management - > trust certificate to really attack. Maybe social workers are used to lure the victim to perform operations. But this undoubtedly reduces the success rate of the attack.

Android platform is more open than IOS, of course, the flexibility of C2 selection is also greater. What's unique is to use GCM, pubunb and other message push services for C2 communication.

Message push service

Message push service is used as C2, which is common on Android platform.

After the malware is delivered to the attacker, the most important thing is to realize long-term residence and remote control. The mobile platform is not as large as the PC operating space, and the implementation scheme is limited. It is basically to erase the desktop icon after installation, plus various self wake-up techniques, advanced point attacks will take advantage of root vulnerability to get more operation space.

In C2 architecture, in addition to general HTTP, message push service is a distinctive communication mode of Android platform.

If the application wants to push messages to the user, it only needs to send the information to the message push server, which then forwards the messages to the user. A sound ecosystem is Google play's GCM.

In the mobile attack activity of the apt organization Reaper disclosed by EST in April 18, GCM was used as C2 channel in some samples. (sample hash: d6abaa07f7e525153116c9841215b2e):

After execution of the malware, device information such as phone number, call log, location, and device file information will be collected. Upload to remote server after compression and encryption:

However, the upload channel is http. The overall structure is as follows:

Because of the openness of Android platform, there are many message push service providers similar to GCM. In the following samples, the sample using pubnub message push service appears:

In fact, message push is not only used on Android platform. On Windows platform, there are also malware using message push service to transmit command data.

TCP data message

Encapsulate C2 instruction into TCP message, which is common in the malware of Linux server. Set the flag in the header, monitor the local traffic in hybrid mode, and execute the operation when encountering the data message of specific frame structure. For example, "ext4" back door:

The "ext4" binary is relatively small, only 9511 bytes, and consists of simple functions. Use the Libpcap library to monitor native traffic. Malware is configured to run every hour. The runtime listens to the traffic and calls back to my packet handler for processing. After decoding the payload XOR, if the string starts with anti:, the rest will be passed to EXECL to run the bash command.

my_packet_handler anti: execl

0x03 induction

In fact, there are three types of C2 modes:

Command and control, if it is remote command control, it must be based on the network, which is beyond doubt.

With the OSI seven layer model, we can sort it from bottom to top.

Transport protocol layer

Transport protocol layer, especially TCP and UDP. Corresponding to the example of "ext4" back door.

The main goal of using the malicious software of this layer protocol without hitting personal terminal is the server of key infrastructure, especially Linux. There are two reasons:

In fact, it's not only TCP and UDP, but also C2 command transmission from the data link layer. It's in Intranet penetration communication, and it's not impossible to use ARP. However, if the Internet data transmission, it must be over the transport layer protocol.

Application protocol layer

The operation space of application layer protocol is much larger than that of transport layer protocol.

C2 architecture is commonly used: http / HTTPS, FTP, DNS, SMTP, etc.

In the long-term development process, many technologies are also extended. The most important thing of C2 communication using application layer protocol is concealment, then transmission efficiency and applicable scenarios.

Common countermeasures include but are not limited to:

Above the application protocol layer, the most stable and extensible is undoubtedly http / HTTPS and FTP, which are competent for all intrusion scenarios. At the same time, it is easy to detect.

Blacklist policy can filter out most requests, so we see the use of DGA in some samples. In order to fight against firewall, there are some samples using DNS tunneling technology. These technologies have their own advantages and disadvantages, so they can only use fixed scenes.

But the real environment is more complex, if we encounter the situation of internal and external network isolation. Other protocols are needed.

Application service layer

Based on the protocols mentioned before, there are many application services in the upper layer. For example, social platform, online disk, news push service, etc.

Most of these problems can be solved once and for all by using these application services.

The domain names and IP addresses of these applications are marked with white lists, and most of them have APIs to use. MDM attacks are also found for specific platforms, such as IOS. Encapsulate the distributed files, instructions and uploaded data in the application traffic, which can avoid the traffic audit and has a good fault tolerance rate. In recent years, there are more and more apt attacks using this architecture.

In fact, there are some limitations in the actual application. Social platforms and message services are often limited by data, so they are often used for instruction distribution. Services such as online disks, with their own file attributes, are often used for data upload and resource distribution.

0x04 summary

Limited by the technical and economic capabilities of each apt organization, HTTP is the mainstream of C2 architecture. In order to fight against blacklist, firewall and traffic audit, more and more C2 based on application services in recent two years, which is a visible trend.

It is not ruled out that some powerful apt organizations may have C2 communication modes that are not easy to detect. See the new C2 architecture later, and then update it.


Personal blog: http://pi4net.com

After that, we will release some security analysis tools. Welcome collection