1. Home
  2. Techniques
  3. Enterprise
  4. 多阶段信道

多阶段信道

ID Name
T1104.001 动态协议切换信道
T1104.002 僵尸网络节点中继信道
T1104.003 载荷分离式多级触发信道

多阶段信道指攻击者通过构建分层次的指挥控制链路来提升通信隐蔽性的技术,其核心特征是将完整的C2流程拆解为多个功能隔离的阶段。传统防御主要依赖网络流量分析(如异常连接模式识别)和终端行为监控(如可疑进程外联检测),通过关联跨协议通信事件或识别加密流量中的元数据异常来发现威胁。典型缓解措施包括部署网络层协议深度分析、实施出口流量白名单管控等。

为突破传统检测机制对持续性通信链路的追踪能力,攻击者发展出多阶段信道技术,通过协议动态化、拓扑去中心化、功能碎片化等策略,将单条高风险的C2通道解构为多个低特征子通道,利用阶段间的逻辑隔离与协议异构性规避关联分析。

现有匿迹技术的核心在于构建时空分离的通信矩阵与动态自适应的协议生态。动态协议切换信道通过建立协议类型与网络环境的映射规则,使各阶段流量呈现独立协议特征,阻断基于协议一致性的行为建模;僵尸网络节点中继信道利用已控设备群构建动态中继网络,利用节点分布式特性稀释通信路径特征,并通过分层加密制造溯源断点;载荷分离式信道则突破传统C2的完整性要求,将攻击能力拆解为无害化组件,依赖合法云服务实现模块化重组。三类技术的共性在于将传统端到端通信转化为多维度、多形态的交互过程,通过阶段功能解耦与传输介质多样化,使得任何单点检测都难以还原完整攻击链条。

多阶段信道技术的发展导致传统基于会话日志分析的检测体系面临根本性挑战,防御方需构建跨阶段威胁狩猎能力,开发协议行为图谱分析技术,并强化云端存储服务的异常访问监测,通过全链路行为建模识别离散阶段间的隐蔽关联。

ID: T1104
Sub-techniques:  T1104.001, T1104.002, T1104.003
Tactic: 命令控制
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 31 May 2017
Last Modified: 14 July 2020

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过模拟合法协议栈和滥用可信服务实现通信特征隐匿。动态协议切换技术使各阶段流量呈现不同协议的标准特征,中间节点转发利用CDN等基础设施赋予流量合法业务属性。这种多协议融合策略有效破坏攻击流量的统一特征标识。

数据遮蔽

分层加密体系贯穿整个通信链路,首阶段采用TLS标准加密,后续阶段叠加自定义加密算法,关键指令通过内存解密执行不留磁盘痕迹。多级加密机制确保即使部分信道被破解,核心通信内容仍受保护。

时空释痕

攻击者将通信过程分散在数天甚至数周内完成,各阶段间隔实施随机化延迟。组件分发利用全球CDN节点实现地理维度分散,结合时间触发机制使完整攻击链特征稀释在长周期网络活动中,传统基于实时关联分析的检测手段难以有效捕捉。

Procedure Examples

ID Name Description
G0022 APT3

An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.[1]
G0096 APT41

APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.[2]
S0031 BACKSPACE

BACKSPACE attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs "louder" interactions with the malware.[3]
S0534 Bazar

The Bazar loader is used to download and execute the Bazar backdoor.[4][5]
S0069 BLACKCOFFEE

BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines.[6]
S0220 Chaos

After initial compromise, Chaos will download a second stage to establish a more permanent presence on the affected system.[7]
S1160 Latrodectus

Latrodectus has used a two-tiered C2 configuration with tier one nodes connecting to the victim and tier two nodes connecting to backend infrastructure.[8]
G0032 Lazarus Group

Lazarus Group has used multi-stage malware components that inject later stages into separate processes.[9]
S1141 LunarWeb

LunarWeb can use one C2 URL for first contact and to upload information about the host computer and two additional C2 URLs for getting commands.[10]
G0069 MuddyWater

MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.[11]

S1086 Snip3

Snip3 can download and execute additional payloads and modules over separate communication channels.[12][13]
S0022 Uroburos

Individual Uroburos implants can use multiple communication channels based on one of four available modes of operation.[14]
S0476 Valak

Valak can download additional modules and malware capable of using separate C2 channels.[15]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

References

  1. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  2. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  3. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  4. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  5. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
  6. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  7. Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.
  8. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  1. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  2. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  3. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  4. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
  5. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
  6. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  7. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.