Encrypted Channel: Symmetric Cryptography

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.[1]

Procedure Examples

Name Description
BADNEWS

BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.[2][3]

Ebury

Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.[4]

PLEAD

PLEAD has used RC4 encryption to download modules.[5]

SUNBURST

SUNBURST encrypted C2 traffic using a single-byte-XOR cipher.[6]

TrickBot

TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.[7]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.

In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[8]

References

Attachments

ID
VT0027.001
Sub-techniques
Tactic
Command And Control
Platforms
Linux
Windows
macOS
Data Sources
Malware reverse engineering
Netflow/Enclave netflow
Packet capture
Process monitoring
Process use of network
SSL/TLS inspection
Version
1.0

Created: 05 January 2021

Last Modified: 05 January 2021