Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. [1] Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.
ID | Name | Description |
---|---|---|
G0096 | APT41 |
APT41 used a tool called CLASSFON to covertly proxy network communications.[2] |
S0456 | Aria-body |
Aria-body has the ability to use a reverse SOCKS proxy module.[3] |
S0347 | AuditCred | |
S0245 | BADCALL |
BADCALL functions as a proxy server between the victim and C2 server.[5] |
S1081 | BADHATCH |
BADHATCH can use SOCKS4 and SOCKS5 proxies to connect to actor-controlled C2 servers. BADHATCH can also emulate a reverse proxy on a compromised machine to connect with actor-controlled C2 servers.[6] |
S0268 | Bisonal | |
G0108 | Blue Mockingbird |
Blue Mockingbird has used frp, ssf, and Venom to establish SOCKS proxy connections.[8] |
C0017 | C0017 |
During C0017, APT41 used the Cloudflare CDN to proxy C2 traffic.[9] |
C0027 | C0027 |
During C0027, Scattered Spider installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.[10] |
S0348 | Cardinal RAT |
Cardinal RAT can act as a reverse proxy.[11] |
G0052 | CopyKittens |
CopyKittens has used the AirVPN service for operational activity.[12] |
S0384 | Dridex |
Dridex contains a backconnect module for tunneling network traffic through a victim's computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers.[13][14] |
G1006 | Earth Lusca |
Earth Lusca adopted Cloudflare as a proxy for compromised servers.[15] |
G0117 | Fox Kitten |
Fox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers.[16][17][18] |
S1044 | FunnyDream |
FunnyDream can identify and use configured proxies in a compromised network for C2 communication.[19] |
S0690 | Green Lambert |
Green Lambert can use proxies for C2 traffic.[20][21] |
S0246 | HARDRAIN |
HARDRAIN uses the command |
S0376 | HOPLIGHT |
HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators.[23] |
S0040 | HTRAN |
HTRAN can proxy TCP socket connections to obfuscate command and control infrastructure.[24][25] |
S0283 | jRAT | |
S0487 | Kessel |
Kessel can use a proxy during exfiltration if set in the configuration.[27] |
S1051 | KEYPLUG |
KEYPLUG has used Cloudflare CDN associated infrastructure to redirect C2 communications to malicious domains.[9] |
S0669 | KOCTOPUS |
KOCTOPUS has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet.[28] |
G1004 | LAPSUS$ |
LAPSUS$ has leverage NordVPN for its egress points when targeting intended victims.[29] |
G0059 | Magic Hound |
Magic Hound has used Fast Reverse Proxy (FRP) for RDP traffic.[30] |
G1019 | MoustachedBouncer |
MoustachedBouncer has used a reverse proxy tool similar to the GitHub repository revsocks.[31] |
S0108 | netsh |
netsh can be used to set up a proxy tunnel to allow remote host access to an infected host.[32] |
S0198 | NETWIRE | |
S0508 | ngrok |
ngrok can be used to proxy connections to machines located behind NAT or firewalls.[34][35] |
C0013 | Operation Sharpshooter |
For Operation Sharpshooter, the threat actors used the ExpressVPN service to hide their location.[36] |
C0014 | Operation Wocao |
During Operation Wocao, threat actors used a custom proxy tool called "Agent" which has support for multiple hops.[37] |
S0435 | PLEAD | |
G1005 | POLONIUM |
POLONIUM has used the AirVPN service for operational activity.[12] |
S0378 | PoshC2 |
PoshC2 contains modules that allow for use of proxies in command and control.[39] |
S0262 | QuasarRAT |
QuasarRAT can communicate over a reverse proxy using SOCKS5.[40][41] |
S0629 | RainyDay |
RainyDay can use proxy tools including boost_proxy_client for reverse proxy functionality.[42] |
S0332 | Remcos |
Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.[43] |
G0034 | Sandworm Team |
Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.[44] |
S0461 | SDBbot |
SDBbot has the ability to use port forwarding to establish a proxy between a target host and C2.[45] |
S0273 | Socksbot | |
S0615 | SombRAT |
SombRAT has the ability to use an embedded SOCKS proxy in C2 communications.[47] |
S0436 | TSCookie |
TSCookie has the ability to proxy communications with command and control (C2) servers.[48] |
G0010 | Turla |
Turla RPC backdoors have included local UPnP RPC proxies.[49] |
S0263 | TYPEFRAME |
A TYPEFRAME variant can force the compromised system to function as a proxy server.[50] |
S0386 | Ursnif |
Ursnif has used a peer-to-peer (P2P) network for C2.[51][52] |
S0207 | Vasport | |
G1017 | Volt Typhoon |
Volt Typhoon has used compromised devices and customized versions of open source tools such as Fast Reverse Proxy (FRP), Earthworm, and Impacket to proxy network traffic.[54][55] |
S0670 | WarzoneRAT |
WarzoneRAT has the capability to act as a reverse proxy.[56] |
G0124 | Windigo |
Windigo has delivered a generic Windows proxy Win32/Glubteta.M. Windigo has also used multiple reverse proxy chains as part of their C2 infrastructure.[57] |
S0117 | XTunnel |
XTunnel relays traffic between a C2 server and a victim.[58] |
S0412 | ZxShell |
ID | Mitigation | Description |
---|---|---|
M1037 | Filter Network Traffic |
Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting. |
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. [60] |
M1020 | SSL/TLS Inspection |
If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections that are sent or received by untrusted hosts. |
Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
||
Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |