Home / Blog / C&C: models, function and measures

C&C: models, function and measures

Posted on 08/18/2022, by Ricardo del Rio García (INCIBE)
Command and control post

A successful cyberattack is more than just getting a foot in the door of an organisation -cybercriminals want to make a profit from it. To achieve this, the attacker must try to maintain persistence within the target environment, communicate with infected or compromised devices within the network, and potentially obtain the data or usage of the attacked infrastructure.

The key to success in all these actions is a Command and Control infrastructure also known as C2 or C&C.

Ataque Command & Control

What is a command and control attack?

The command and control infrastructure, is the set of tools and techniques used by attackers to maintain communication with compromised devices after the initial exploitation. Specific mechanisms vary widely among attacks, but C2 generally consists of one or more undercover channels of communication between devices in a target organisation and an attacker-controlled platform.

These channels of communication are used to send instructions to compromised devices, download additional malicious tools, channel stolen data or use infected devices as zombies.

A common strategy to channel communication is to mix it with other types of legitimate traffic that could be in use in the target organisation such as HTTP/HTTPS or DNS. Attackers can take other measures to camouflage their communications with the C&C, such as the use of encryption or unusual types of data encoding.

A big problem for current cybersecurity is that a legitimate computer on a network can become a weapon for attacks lead by cybercriminals, either through a botnet or the so-called Advanced Persistent Threat (APT).

In the case of botnets, C&C servers are the main infrastructure for compromised machines in a bot network. They can be used to distribute commands to steal data, propagate malware, interrupt web services, etc.

In the case of APT attacks, they are directed at organisations or individuals and aim to establish a continuous presence that remains undetected in the target infrastructure. The end goal of these attacks is often espionage: data access, intellectual property, confidential documents, etc.

In this article we will focus specifically on the channel of communication of command and control (C2) as well as its prevention and response.

C2 infrastructure terms

Zombie

Represents each one of the compromised objectives (victims). Similar to what is known as a session in Metasploit Framework, a zombie in Pupy/BeEF or an agent in Empire.

Stagers

Modules executed in the tool for the distribution of payloads and the establishment of connections with zombies. All available stagers at the time of writing work to set up a server on the compromised machine and wait for the victim to connect, download and execute the corresponding payload.

Implants

These are the instructions executed on zombies that really allow the execution of a post-exploitation process in suitable conditions on the target. Once again, this is the equivalent to what is found in the Metasploit Framework with “post” models, or the Meterpreter in scripts (already deprecated) or Empire in stagers

Botnet

This is a collection of zombie machines that are enlisted for a common illicit goal. This could be anything from mining cryptocurrencies to disconnecting a website after a denial of service attack, for example, or DrDoS o DDoS. Botnets are often united through a common C2 infrastructure. It is also common for cybercriminals to sell access to botnets to other cybercriminals in a type of Malware as a Service (MaaS) attack.

Beaconing

Beaconing is the process through which an infected device calls the attacker’s C2 infrastructure to ask for instructions or load additional modules. To avoid detection, some connect at random intervals or can remain inactive for a while before calling the attacker.

What can cyberattackers achieve with a command and control infrastructure?

Most organisations have effective systems which make it difficult for an attacker to initiate a connection from outside the internal network of the organisation without being detected. However, outgoing communication is often not as well controlled or restricted. This means the malware introduced through a different channel, for example a phishing email or a compromised website, can often establish an outgoing channel of communication that would otherwise be impossible.

With this channel open, a cybercriminal can undertake additional actions such as:

Data theft

C2 channels are often two directional, meaning that an attacker can receive data from the target environment as well as sending instructions to compromised hosts. Data accessed can be of any type, from classified documents, credit card numbers or personal information, according to the organisation to which the victim belongs. Ransomware gangs are increasingly using data exfiltration as an additional tactic to extort their targets, even if the organisation can recover data from backups, criminals can still threaten to disclose stolen data or sell it on the dark web.

Interrupt tasks in progress

Attackers can periodically restart an infected system or group of systems within an organisation when it is carrying out an important task. For example, a business carrying out data migration or a backup of its entire database of information and files in multiple external storage systems for redundancy, or a manufacturing process that involves processing materials from one form to another and may take several hours or days. Attackers can repeatedly interrupt this process by restarting the system or systems at certain intervals so the task is never completed.

Shutting down systems or networks

If the malware has managed to pivot to one part or all systems within an organisation, an attacker can simply switch off all systems in order to completely terminate business operations. The cybercriminal can then threaten that business operations will not be resumed until their demands have been met. This is a form of ransomware that avoids encryption.

Multi-stage attacks

The most selective cyberattacks often carry out attacks with an initial infection consisting of a downloader that calls the attacking C2 infrastructure and downloads additional malicious modules. This modular architecture allows an attacker to carry out attacks that are widely distributed and highly focused, meaning the attacker can be selective and create personalised malware with a second phase for other goals. This model also allows for a decentralised cybercrime industry. An initial access group can sell access to a main target such as a bank or hospital to a ransomware gang for example.

Distributed denial of service attacks (DDoS)

Sometimes, infected systems are not the real objective and are just used as foot soldiers to initiate attacks on a different organisation or service. An attacker that controls a C2 server that gives orders to a set of zombie systems can tell infected systems to saturate a server (for example, that of Facebook) with numerous requests to use up the target's bandwidth.

This means that legitimate users cannot access the website or server.

Encryption or data corruption

Another malicious activity that a Command and Control server can order a host to do is to encrypt or corrupt the system's files. This can be used to request a ransom before releasing data or simply to sabotage an organisation's activity.

The above are just a few example of the most common attacks that can be carried out using a Command and Control server. C2 channels are a backdoor to a computer and/or infected networks and their damage potential is only limited by the attacker's mind, such as using botnets to perform crypto-mining

Command and control models

Although there is a wide range of available options to implement C2, the architecture between the malware and the C2 platform generally is similar to one of the following models:

Centralised model

C&C: Centralised modelThis model is very similar to a client-server transaction model. An infected host can probe its C2 server to request it to execute commands on operations. It is very common for attackers to use websites and common storage services to store C2 servers.

This model is easy to detect and block because the commands come from a single source with an IP that can be quickly detected and blocked.

However, some attackers make the process of detection difficult by using proxies, redirectors and load balancers in the configuration of their C2 servers.

C&C: Peer-to-peer modelPeer-to-peer model

Adopt a decentralised model in which the members of a bot network send messages from one node to another. This eliminates the need for a “main” or central server, making their detection difficult.

Even when it is detected, it’s possible that only one node at a time can be taken down. This model is often used with the centralised model as a hybrid configuration. In this hybrid scenario, P2P communication works as a back-up when the central server is taken down.

C&C: Random modelRandom

This model was developed to guarantee that cybersecurity experts could not detect a botnet’s chain of command or trace and shut down the C2 server. This is achieved by sending commands to the infected host or the bot network from different random sources. These sources can be links in comments on social media, CDNs, Gmail, IRC chatrooms and other rented media. A common attribute that attackers look for in these sources is that they are widely used and trusted.

How do command and control (C2) servers work?

Step 1

The attacker infects the system of a user or within an organisation with malware even though they are protected. This can be done using different methods such as phishing emails, malicious advertising (adware), plugins on vulnerable browsers, direct installation of malicious software through a USB stick or disk, etc.

Command & Control - Infection

Step 2

Once the host is infected, communication with the C2 is established and the compromised system sends an acknowledgement of receipt to the C2 server to indicate that it is ready to receive commands. This communication is carried out mainly through trusted traffic such as the DNS.

Command & Control - Notice

Step 3

With the C2 channel established, the infected system can now receive more commands from the C2 server so long as the malware is not detected.

The Command and Control server can use this channel to send more malicious software to be installed, encrypt data and even recursively extract data from the infected host.

Command & Control - Communication

The C2 server can also issue orders to the infected host so it starts to look for vulnerabilities in other network systems with the aim of moving throughout the network. This can completely compromise an organisation's entire IT infrastructure and lead to the expansion of compromised computers by increasing the size of the botnet. The sole purpose of this organisation of zombie machines is to receive orders from the command and control server to carry out coordinated attacks.

Command & Control - Network

Detection and prevention of command and control traffic

C2 traffic can be difficult to detect as attackers do everything possible to avoid discovery, given that many large scale cyberattacks are initially discovered when investigators notice C2 activity.

Here are some general techniques to detect and stop command and control traffic within your own network:

Scan and filter all traffic

This is the most important measure an organisation can take to prevent and detect C&C activities. Both inbound and outbound traffic should be monitored to detect suspicious activity such as the unauthorised encryption of network traffic (commonly used in DNS tunnelling operations), traffic to unknown servers, etc.

As well as simply blocking IRC, administrators can look for dubious outbound connection attempts in a much broader sense and create/update blacklists of services to deal with suspicious cases.

Impose a blacklist

The IT system should not allow just any application to be installed or executed. Blocking the installation of applications from unknown sources prevents malware used as a bot to establish communication with the C2 server from being installed on systems.

Strengthen hosts against the initial malware infection that creates a bot

As well as maintaining and updating basic antivirus solutions, administrators can check system integrity, minimize root privileges and install client-side firewalls (especially effective if they support outbound, not just inbound packet rules). The fewer compromised machines you have, the less you have to worry about detecting the command and control server itself.

Separate infected hosts from the rest of hosts on the network.

When an infected computer is detected, immediately remove it from the network to isolate it from other hosts. This avoids malware from spreading and taking control of the network.

Adjust firewalls

Also adjust intrusion prevention/detection systems (IPS/IDS) according to context. Often it is possible to mitigate the problem by limiting network access to the tasks/ports that are directly relevant to the terminal. For example, in the case of a DNS server, everything could be blocked apart from UDP and TCP 53 ports. In addition, for certain free IDS solutions, there are downloadable rules that can help to detect and automatically block dubious activity in different ports or protocols, such as IRC, no matter where on the network it originates.

Periodically analyse the system with updated antivirus software

By using tried and tested antivirus software, host systems can be constantly scanned to ensure malware activity is detected and removed. In this way, malware used for communication with C2 servers is removed and the undercover channel is closed.

Use an EDR system.

An Endpoint Detection Response system protects a company’s computers and infrastructures. It combines traditional antivirus software with monitoring and artificial intelligent tools to offer a rapid and efficient response to complex risks and threats.

Thanks to this combination of elements and technologies, it is possible to detect all those risks and threats that can silently and inadvertently cause a security incident, putting the viability of the company at risk.

Try to decrypt the code of the malware to see how it works

Not all IT professionals are able to do this, but even the application of basic knowledge can give good results. For example, it is sometimes possible to find detection information from the command and control server by dismantling the compiled code or even simple using a sector analysis tool that converts hexadecimal to ASCII. However, given that cyberattackers are increasingly using integrated encryption, this cannot be expected to work for every case.

Segment the network to separate devices

With different values of trust and risk (for example, public servers versus internal hosts that store sensitive documents).

Introduce speed limitation policies

To slow down traffic directed to dubious or untrustworthy endpoints.

Block methods of communication

Block unwanted or unused methods of communication that can be used for C2 activity (e.g., anonymisation networks, P2P overlays, social networks).

Each of these focal points should be treated as a tool and combining tools in the necessary order helps to obtain a personalised strategy that adapts to local contact and security needs.

Response after Detecting Command and Control Servers: Dismantling C&C

Taking down command and control networks, wherever they exist, will almost always require collaboration with law enforcement professionals on a case-by-case basis, as it is extremely difficult to take down an entire list of command and control servers. Examples include:

  • Working with a provider to remove/clean problematic servers or even confiscate specific physical hosts.
  • Revoke the service of exceptionally problematic domain names.
  • Completely remove a storage provider from service.

The conclusion is that, even though the detection of command and control servers is becoming increasingly difficult, there are many measures that IT professionals can take to mitigate and even eliminate the problem, even involving law enforcement if there is sufficient forensic evidence.

Conclusion

Controlling the command and control infrastructure is essential for attackers. Blocking C&C traffic or dismantling the C2 infrastructure of an attacker can stop a cyberattack in its tracks. Dismantling a C2 infrastructure should not be an organisation’s only focus, it should form part of a broader programme of information security that includes best practice, security training and awareness for employees and structured policies and procedures. These steps can help greatly to mitigate the threat presented by the command and control infrastructure.