The Rise of Malware Using Legitimate Services for Communications

<p>Malware often includes the ability to communicate with attacker controlled systems on the Internet from within compromised networks. This gives the attacker several important capabilities.</p><p>Some examples of this communication include:</p><ul><li>Receive “heartbeats” to maintain an inventory of compromised systems</li><li>Send Remote control commands and receive the results of those commands</li><li>Exfiltrate data from inside compromised networks</li><li>Send updates or new capabilities to already compromised hosts</li></ul><p>This communication between malware and attacker controlled servers on the Internet is often referred to as “command and control.” This is also a primary area of focus for detection of malware infections in security software outside of detecting the malware itself.</p><p>As defenders have gotten better at detecting Internet hosts and domains used for malware command and control, attackers have had to develop their own countermeasures to try and stay ahead of detection and blocking efforts. Techniques such as <a href="https://www.anomali.com/blog/hacker-tactics-part-1-domain-generation-algorithms">Domain Generating Algorithms</a> have been employed to try and evade traditional detection mechanisms put in place by defenders.</p><p>One of the new evolutions in malware capabilities is the use of legitimate services as a conduit for command and control communications. Imagine malware that uses Github, or Google Docs, or Facebook to communicate with attackers.  Defenders are stuck trying to discern between legitimate traffic and malicious traffic that is all encrypted and going to the same popular and very legitimate services on the Internet. The dominant way to refer to this technique is “Legit Services C2.”</p><p><img alt="" src="https://cdn.filestackcontent.com/sCl8ieefQzCQzH9jEXsj"/></p><p style="text-align: center;"><em>A variety of legitimate services seen abused for C2</em></p><p>There are many possible services available across the Internet that could be used for malware command and control. As new services are constantly popping up, there is essentially an unlimited supply of options for using legit services for malware command and control.</p><p>We did some detailed research into malware that uses legit services for C2. We identify a number of malware families that have been observed taking advantage of legit services. We also dig into how malware uses legit services for C2.  Finally, we offer some suggestions for potentially sifting out malware usage vs. legitimate usage of these services.  We packed all this research into a white paper titled, Rise of Legit Services for Backdoor Command and Control which can be <a href="https://anomali.cdn.rackfoundry.net/files/anomali-labs-reports/legit-services.pdf">downloaded here</a> without registration. Please feel free to use this research and we hope that others will expand on it.</p>