1. Home
  2. Techniques
  3. Enterprise
  4. 网络服务

网络服务

ID Name
T1102.001 合法协议封装通信
T1102.002 动态服务拓扑切换

网络服务滥用指攻击者利用合法云服务、社交平台等Web服务作为命令控制或数据传输通道,通过协议模拟、加密通信等方式隐藏恶意活动。传统防御手段聚焦于检测异常API调用模式、识别加密流量中的元数据特征,以及监控用户行为异常。缓解措施包括实施SSL/TLS解密审查、建立网络流量基线模型,以及分析客户端与服务端的数据传输不对称性。

为规避传统检测机制,攻击者逐步发展出基于云原生架构的隐蔽通信技术,通过深度整合Web服务生态特性与攻击链需求,构建出多层匿迹防护体系。这些技术突破单点对抗模式,将恶意行为无缝嵌入云服务业务流,形成"服务即武器"的新型攻击范式。

当前网络服务匿迹技术的共性特征体现为服务生态的武器化改造与协议语义的对抗性重构。攻击者通过协议逆向工程将恶意功能映射至合法服务接口,例如将C2指令编码为API参数、利用云存储事件驱动机制实现异步通信。动态拓扑切换则依托云服务的弹性架构,构建出时变通信矩阵。这些技术均注重利用服务提供商的基础设施优势,例如全球CDN加速、自动扩容机制、跨区域冗余存储等,将攻击流量深度隐藏在服务提供商的运维体系之中,迫使防御方必须穿透多层服务抽象才能实施有效检测。

匿迹技术的演进使得传统基于流量特征或端点行为的检测方法面临严峻挑战。防御体系需向服务语义理解方向升级,构建跨云平台的元数据关联分析能力,开发基于服务上下文的行为异常检测模型,并建立与云服务提供商的安全数据共享机制,实现对滥用行为的全景式监控。

ID: T1102
Sub-techniques:  T1102.001, T1102.002
Tactic: 命令控制
Platforms: Linux, Windows, macOS
Contributors: Anastasios Pingios; Sarathkumar Rajendran, Microsoft Defender365
Version: 1.2
Created: 31 May 2017
Last Modified: 07 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过精确模拟目标云服务的API交互模式,将恶意通信流量伪装成合法的业务请求。例如使用标准OAuth 2.0令牌进行身份认证,严格遵循RESTful API设计规范,使得恶意流量在协议结构和交互流程上与正常业务流量完全一致,有效规避基于协议合规性检查的防御机制。

数据遮蔽

普遍采用传输层加密(TLS 1.3)与应用层加密(如云服务客户端加密)的双重加密机制,同时利用云服务商提供的密钥管理体系隐藏加密密钥。部分技术进一步实施数据分片存储与跨区域冗余,确保单一节点被查获时无法还原完整数据。

时空释痕

通过动态拓扑切换,将攻击流量分散到多个地理区域和时区。利用云服务的自动伸缩特性实现通信节奏的动态调整,使攻击行为的时间分布与目标组织的业务周期保持同步,显著降低异常时间窗口的检测可能性。

Procedure Examples

ID Name Description
G0050 APT32

APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.[1]
C0040 APT41 DUST

APT41 DUST used compromised Google Workspace accounts for command and control.[2]
S1081 BADHATCH

BADHATCH can be utilized to abuse sslip.io, a free IP to domain mapping service, as part of actor-controlled C2 channels.[3]
S0534 Bazar

Bazar downloads have been hosted on Google Docs.[4][5]
S0635 BoomBox

BoomBox can download files from Dropbox using a hardcoded access token.[6]
S1063 Brute Ratel C4

Brute Ratel C4 can use legitimate websites for external C2 channels including Slack, Discord, and MS Teams.[7]
S1039 Bumblebee

Bumblebee has been downloaded to victim's machines from OneDrive.[8]
C0017 C0017

During C0017, APT41 used the Cloudflare services for C2 communications.[9]
C0027 C0027

During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee.[10]
S0335 Carbon

Carbon can use Pastebin to receive C2 commands.[11]
S0674 CharmPower

CharmPower can download additional modules from actor-controlled Amazon S3 buckets.[12]
S1149 CHIMNEYSWEEP

CHIMNEYSWEEP has the ability to use use Telegram channels to return a list of commands to be executed, to download additional payloads, or to create a reverse shell.[13]
S1066 DarkTortilla

DarkTortilla can retrieve its primary payload from public sites such as Pastebin and Textbin.[14]
S0600 Doki

Doki has used the dogechain.info API to generate a C2 address.[15]
S0547 DropBook

DropBook can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions.[16][17]
G1011 EXOTIC LILY

EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads.[18]
G0037 FIN6

FIN6 has used Pastebin and Google Storage to host content for their operations.[19]

G0061 FIN8

FIN8 has used sslip.io, a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control.[20]
G0117 Fox Kitten

Fox Kitten has used Amazon Web Services to host C2.[21]
G0047 Gamaredon Group

Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.[22]

S0561 GuLoader

GuLoader has the ability to download malware from Google Drive.[23]
S0601 Hildegard

Hildegard has downloaded scripts from GitHub.[24]
G0100 Inception

Inception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe.[25][26]
S1160 Latrodectus

Latrodectus has used Google Firebase to download malicious installation scripts.[27]
G0140 LazyScripter

LazyScripter has used GitHub to host its payloads to operate spam campaigns.[28]

G0129 Mustang Panda

Mustang Panda has used DropBox URLs to deliver variants of PlugX.[29]
S0198 NETWIRE

NETWIRE has used web services including Paste.ee to host payloads.[30]
S0508 ngrok

ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.[31]
S1147 Nightdoor

Nightdoor can utilize Microsoft OneDrive or Google Drive for command and control purposes.[32][33]
C0005 Operation Spalax

During Operation Spalax, the threat actors used OneDrive and MediaFire to host payloads.[34]
S1130 Raspberry Robin

Raspberry Robin second stage payloads can be hosted as RAR files, containing a malicious EXE and DLL, on Discord servers.[35]
G1039 RedCurl

RedCurl has used web services to download malicious files.[36][37]
G0106 Rocke

Rocke has used Pastebin, Gitee, and GitLab for Command and Control.[38][39]
S0546 SharpStage

SharpStage has used a legitimate web service for evading detection.[16]

S0589 Sibot

Sibot has used a legitimate compromised website to download DLLs to the victim's machine.[40]
S0649 SMOKEDHAM

SMOKEDHAM has used Google Drive and Dropbox to host files downloaded by victims via malicious links.[41]
S1086 Snip3

Snip3 can download additional payloads from web services including Pastebin and top4top.[42]
S1124 SocGholish

SocGholish has used Amazon Web Services to host second-stage servers.[43]
G0139 TeamTNT

TeamTNT has leveraged iplogger.org to send collected data back to C2.[44][45]
G0010 Turla

Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.[11][46]
S0689 WhisperGate

WhisperGate can download additional payloads hosted on a Discord channel.[47][48][49][50][51]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
M1021 Restrict Web-Based Content

Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

References

  1. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  2. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  3. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  4. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  5. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
  6. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  7. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  8. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  9. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  10. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  11. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  12. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  13. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  14. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  15. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  16. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  17. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  18. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
  19. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  20. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
  21. ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020.
  22. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  23. Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.
  24. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  25. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  26. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  1. Unit 42. (2024, June 25). 2024-06-25-IOCs-from-Latrodectus-activity. Retrieved September 13, 2024.
  2. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  3. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  4. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  5. Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.
  6. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
  7. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
  8. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  9. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
  10. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  11. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  12. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  13. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  14. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  15. FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.
  16. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
  17. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.
  18. Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.
  19. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  20. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  21. Crowdstrike. (2022, January 19). Technical Analysis of the WhisperGate Malicious Bootloader. Retrieved March 10, 2022.
  22. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  23. MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022.
  24. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  25. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.