From C2 to C3: Hackers are getting esoteric when covering footprints, calling home.

Hackers are using the Slack API, MSFT's PowerAutomate, print jobs...

From C2 to C3: Hackers are getting esoteric when covering footprints, calling home.

For many IT professionals not tightly focussed on the information security space, a recent blog by FireEye detailing the techniques used by affiliates of the DarkSide ransomware syndicate in the Colonial Pipeline attack was the first they had heard of the C3 framework – a Custom Command and Control platform for offensive security professionals that was first released publicly by F-Secure Labs in September 2019.

A threat group dubbed “UNC2628” was employing the C3 framework to hide their traffic home, proxying Command and Control (C2) communications through the Slack API, FireEye said, adding that “based on this actor's other TTPs they were [also] likely using C3 to obfuscate Cobalt Strike BEACON traffic.” (Cobalt Strike is a commercial penetration testing product widely used by cybercriminals too, which allows an attacker to deploy an agent named 'Beacon' on the victim machine with extensive naughty functionalities.)

With C3 able to help attackers use even networked printers as a C2 channel, those responsible for securing enterprises should be watching the evolution of C2 techniques closely. (F-Secure has some tips on hunting for C3 including via anomalous DNS queries for Slack domains, anomalous processes, etc. here.)

C2 to C3: “Esoteric” channels go mainstream.

For the uninitiated, when malware infects a vulnerable host, it typically initiates a command and control (C2) channel with its creator that can be used to issue instructions to compromised devices, download additional malicious payloads, or used as a two-way channel to exfiltrate data stolen in the attack.

Indeed, as F-Secure notes, the establishment of C2 is “arguably one of the most important parts of the cyber kill chain because without it any payloads that are successfully delivered operate blindly, cannot provide network level pivoting and near real-time interaction". Well defended organisations have been imposing ever-greater controls over the types of communications allowed from their systems as a result.

(The importance of defensively identifying C2 is reflected in two of the MITRE ATT&CK framework's columns: “Command and Control” and “Exfiltration”; although neither appears to have been updated since 2019. Someone correct us if we're wrong: it's troubling if we're not.)

Being able to detect C2 channels, in short, is a big part of the cybersecurity playbook and typically a prominent component of the “Indicators of Compromise” (IOCs) reported after an attack. (The Colonial Pipeline hackers having deployed an open source tool with a self-described “easy and intuitive interface that allows users to form complex paths during adversarial simulations” to hide their activity should hardly come as a surprise as a result: from Cobalt Strike to Mimikatz or Bloodhound, commercial or open source offensive security tools are often a major part of the cybercrime playbook as well, and IT teams should be well aware of them.)

A key feature of C3 is the ability to extend the network using non-traditional vectors. This network can be made up of a variety of communication mediums (see: printers), can contain complex routing paths, and allows for redundancy to be built in on the fly, F-Secure's own C3 guide notes.

From C2 to C3: Attackers are using the Slack API, Telegram, and Microsoft's PowerAutomate to hack your shit.

The simplified diagram at left gives one simple example of C3 at use, with the “Slack” relay being used to route traffic for the “Fileshare” relay, which has a CobaltStrike beacon running in memory. As F-Secure notes: "In this instance, sending a command to the beacon through Cobalt Strike causes the gateway to send a message over Slack. The 'Slack' relay reads this message, understands that it is intended to be forwarded, and writes the message to the UncShareFile channel. Finally, the 'Fileshare' relay reads this message and writes it to the SMB beacon. (CISOs and their teams need to be aware of this stuff...)

What can defenders do?

Bharat Mistry, Technical Director at Trend Micro, affirmed to The Stack that he was seeing more sophisticated C2 setups become popular as organisations get better at monitoring network channels for obscure protocols and non-standard ports -- i.e. as potential indicators of malicious communications that signal a breach.

He said: “Cybercriminals have started to camouflage their C2 and C3 channels inside standard essential protocols needed to communicate with external services like http, https, dns, smtp and commonly used applications like Slack and Teams. One effective way to counteract this is to think about deploying deep packet inspection technology at critical parts of the network layer such as the perimeter to capture North-South traffic and also between the users and the services they consume from the application servers located in datacentre more commonly known as East-West or lateral traffic.

Mistry added: “These sensors should have the ability to do full packet capture and reassembly giving defenders the opportunity to examine the payload inside and use advanced capabilities such as machine learning, heuristics and behavioural analysis to determine if the protocol or service is being abused in some way. The data from these sensors can be further analysed in a data-lake where analytics can used to determine normal and abnormal traffic patterns giving further insight as to what is happening in the environment.

"But as services and protocols evolve and we see a switch towards encrypted traffic it makes this type of inspection and monitoring more difficult and is further complicated by use of cloud services.”

George Glass, Head of Threat Intelligence at Redscan agreed, saying: “Threat actors spend a significant portion of their time curating and hardening their C2 infrastructure to facilitate large-scale phishing, malware and ransomware operations. Typically, they will use different channels at differing stages of their attacks, such as during second stage malware deployment, remote access and data exfiltration.

He added: “A common tactic for many malware strains is to compromise websites and use them to host second stage malware payloads. This typically involves exploiting CMS systems such as WordPress en masse and hiding malicious files in the filesystem of each site, allowing the malware loaders they deploy to choose the next stage from any number of compromised hosts. This also enables attackers to bypass website fingerprinting and categorisation used by proxies.

And it’s not just F-Secure’s C3 out there, he noted: “There are countless C2 frameworks available which utilise different open source tooling, commercial grade software, and applications such as Telegram, WhatsApp and Twitter. Threat actors that can hide their C2 communications are able to loiter on target networks for longer, gaining greater freedom to achieve their goals." (With Cobalt Strike itself costing $3,500 per user for a one year license and cybercriminals -- needless to say -- keen to avoid identifying themselves through commercial payments, this can throw up opportunities for defenders, Glass noted. As he put it: "Most threat actors use leaked or cracked versions of this software which can make activity easier to identify.")

Tim Wade, technical director for the CTO team at Vectra AI added: We have seen adversaries... [also] using Microsoft PowerAutomate to create custom malicious workflows, or deploying novel in-memory droppers to evade file-based analysis. To detect C2 activity, security teams must look for the intersections between authorised but suspicious activities, and the behaviours that an adversary will exhibit as part of an unfolding attack. It could be examining factors like how persistence will be achieved, or monitoring key chokeholds that must be crossed for the attacker to pivot from initial access towards their final objective. This is key as often, establishing the C2 channel is just the opening gambit, and attackers will need to move laterally or escalate their privileges before the endgame, which is usually to steal data or disrupt operations.

CISOs: start talking to your security partners and internal security professionals about this issue. As Vectra notes in a report this week on threat detections for Microsoft Azure AD and Office 365, "the level of skill and focus required to cleanly bypass endpoint controls is a tribute to recent advances in endpoint detection and response. However, it is also a reminder that a determined and sophisticated adversary will always be able to bypass prevention and endpoint controls." Defenders need to be equally creative.

Follow The Stack on LinkedIn