Criminals increasingly using social media as command-and-control (C2)

A paper entitled: C&C-AS-A-SERVICE: ABUSING THIRD-PARTY WEB SERVICES AS C&C CHANNELS caught my attention yesterday which looks at the growth in criminals leveraging popular web services for Command & Control (C2).

The web services cited are: Google Docs, Twitter, Facebook, Microsoft Technet, YouTube, VKontakte, Jaiku, Tumblr, Google+, Yahoo Mail, Gmail, Google Talk, MSN Messenger, Skype, Google Calender

So, quite a few options for the criminal as you can see.

Why do criminals use Third-party web services for C2?

One benefit for the criminal in utilising this strategy is that traffic to these websites looks legitimate, is often encrypted (HTTPS) and will blend in with legitimate use of the same services. Also:

The essence of the method is usually the same: encoded messages containing the address of the actual C&C server are hosted on third-party web services where they are easy to retrieve, easy to update and difficult to block.

[…]

The primary benefit for the attacker in this case is simply an easy and reliable way of broadcasting new C&C server addresses whenever the existing C&C servers are taken down or blocked.

[….]

In addition to abusing third-party services for broadcasting the addresses of primary C&C servers, similar methods are sometimes employed by malicious downloaders for broadcasting the locations of payloads to download.

As we can see the use is primarily two-fold. To act as a proxy for the C2 server and direct to malicious download payloads.

But there is another use and that is exfiltration of data through mechanisms such as DropBox , MicrosoftOneDrive and other cloud services.

I’d encourage you to read the paper which concluded with:

The idea of abusing third-party services as command-and-control channels is not new. It’s also not as rare or as difficult as one might initially imagine. It is,  however, in the author’s opinion, an under-researched subject with wide-ranging implications for anyone working against malware authors and operators. It therefore deserves more attention.

If you’re interested in a more granular look at how criminal groups leverage social media, I highly recommend reading the HAMMERTOS paper from July which covers a Russian group using Twitter, GitHub, and cloud storage services to relay commands and extract data.

When I read this paper I could not help but marvel at the sheer ingenuity of this group. They employ tactics such as algorithms to generate Twitter handles and embedding commands in images through encrypted stenography. Quite astonishing.

HAMMERTOSS processes the decrypted commands, which conduct reconnaissance, execute commands via PowerShell, or upload data to a cloud storage.

In terms of Red Team emulation of these tactics there are tools available such as Twittor, a fully featured Python backdoor that uses Twitter as a C2 server.

This tool was released recently, but as far back as 2013 @obscuresec wrote a Powershell bot in which he used Twitter as C2.

Here’s his talk from Shmoocon FireTalks 2013 entitled: No Tools No Problem Building a PowerShell Botnet