Part II: SaaS-ational Command and Control — Using Social Media and SaaS Platforms for Malicious Gain

In a previous article, we explained how cybercriminals make use of Social Media, SaaS platforms, or pretty much any service with an API to hide the malicious traffic between their malware implants on infected machine and them (or their C2 server). We call such channels esoteric channels. And the myriad of successful attacks that relied on them suggests that it is a pretty great technique. But it’s not infallible. In this article, we will explore a few approaches that can be used by blue teams to detect it.

An Operations Security Nightmare

Hiding behind a legitimate service can be risky for any criminal operation. We all remember how Wannacry’s operations took a serious hit after Marcus Hutchins registered a single domain name. Imagine now if the esoteric channel relies on Twitter Private messages:

• The account(s) used to send messages could be hacked (how ironic!).
• More realistically the account(s) could get suspended, blocked, or deleted.
• The account(s) could get flooded: is the attacker’s infrastructure capable of handling tons of malformatted inputs?

Additionally, using such channels is taking the risk to have the entire operation exposed as most SaaS and Social media keep logs of activities on their platforms, such as posts, messages etc, even when they are deleted.

Detection strategies

Traffic origin

Esoteric channels cover the traffic destination: instead of the regular C2 server, the outbound traffic is sent to a legitimate service. However the source of the traffic is still unlawful, and not necessarily hidden.

A typical way to identify this is to take a look at the DNS requests on endpoints. We can ask ourselves: in a normal scenario, what executables would make DNS requests to twitter.com? We can imagine the desktop Twitter application would make such requests, or maybe a browser, but any other executable (especially unsigned ones) would be suspicious.

Additionally, implants using esoteric channels usually have a very specific behaviour when it comes to DNS requests: they only query for their channel’s domain names. This is a clear difference with the DNS traffic from a legitimate desktop application which would need to load additional content, such as fonts, emojis and icons, and therefore make additional requests to domains such as flaticons.com or fonts.gstatic.com.

Packet anomalies

Added traffic: A malware implant by definition is an unwanted piece of software residing on an infected machine. As such, it performs unwanted actions, in our case it communicates with a social media or a SaaS platform. Doing so, it inevitably generates traffic from the endpoint to the social media servers. Imagine the owner of a device is not a Twitter user. The moment their machine is infected, we will see a surge in the traffic from that endpoint to Twitter servers.

Packet sizes: As we saw during our demonstration of the RedditC2 tool in our Part I packet sizes vary largely when exfiltrating data from an endpoint. Although this is not an absolute metric (legitimate traffic could also have rather large packets when uploading or downloading images for instance), it is an appreciable anomaly.

Packet containing exfiltrated data is significantly larger

Unusual Behaviour

Esoteric channels help hiding the traffic, but they have no power in hiding the actions taken on the endpoint itself. Most usual TTPs would still be detectable. To name a few:

• We already mentioned the added traffic
• Process injection. To counter the traffic origin issue, one could be tempted to inject directly into a legitimate process that is expected to produce traffic to the channel chosen. With proper logging, such events can be detected.
• Any persistence operations, such as registry edits.
• And much more…

Let’s go further

We have now covered both the advantages offered by C3s and methods of detection.

Before concluding this article, I would like to take a second to reflect on the misuse of popular services. One could argue that these platforms are facilitating cybercrime and should have safeguards in place to prevent such misuse of their services. After all, most platforms already monitor all the uploaded content.

What should the platforms do? What solutions should they implement? What does it mean for our privacy? Let’s discuss!