SaaS-ational Command and Control — Using Social Media and SaaS Platforms for Malicious Gain
SaaS (Software as a Service) and cloud services have become increasingly popular in recent years for their convenience and ease of use. They offer access to a wide range of applications and services, from productivity tools to data storage and collaboration platforms. However, these same characteristics also make SaaS and cloud services attractive to hackers looking for new and creative ways to communicate with their command and control servers (C2).
In this article, we will explore the use of SaaS and cloud services as a way to evade detection and maintain control over compromised systems. Such “hidden” channels are called esoteric channels, and when associated with C2 are commonly referred to as Custom Command and Control (C3), or how I like to call it, SaaS-ational Command and Control :D
A bit of background
What is a Command and Control server?
A command and control server is a type of server that provides a central point of communication for malware-infected devices to receive commands from cybercriminals. The malware on infected devices typically connects to the C2 server at predetermined intervals, often using encrypted channels to evade detection. These servers are used to remotely control a network of infected devices, and can be used for various malicious activities such as stealing data, launching attacks, or installing additional malware.
In short, C2 servers are as the brains of the operation, allowing cybercriminals to send instructions to the malware on compromised devices, and to receive information back from them.
The common issue to all C2 communications
As we described above, the C2 is the one server that infected machines communicate with. And that poses a big issue for cybercriminals: how do you hide the communications? Attackers got creative, and use a myriad of tricks to hide their traffic and avoid detection (by Antivirus, EDRs, Blue teams etc), such as using the well known HTTPS protocol, VPN, or more advanced techniques like DNS Tunneling. But this is always problematic: no matter how good you hide your traffic, the destination does not change (or it could if you have multiple C2 servers, but the same underlying issue applies to each server), and the more attackers try to stay anonymous by routing the traffic to servers hidden behind tor, or on some shady cloud provider with little to no identity verification, the bigger the red flags for defenders.
At the end of the day, one problem persists: one way or another, the cybercriminal needs the infected devices to reach the C2 server. Or do they?
Esoteric Channels: a silver bullet?
As we just saw, no matter how much attackers try to blend in and hide their malicious communications, the destination is always an issue, because it is never legitimate. Esoteric channels change the game. What if, instead of calling out to the C2 server, the infected devices were reaching out to a legitimate, commonly used SaaS platform, or a social media platform? What if, instead of exfiltrating sensitive files through DNS tunneling, the attacker was to send himself a private message on Twitter?
Not only is your traffic (not the content), legitimate: you are sending a HTTPS request to the Twitter API to perform the legitimate action of sending a message, but the destination is also legitimate: Twitter is a well known and established entity.
Let’s put the theory to the test
What better way to check if this actually works than to compare “regular” C2 traffic and Esoteric Channel traffic.
Regular traffic analysis
Let’s see what “regular” C2 traffic is like by taking a look at some packet captures. We will start by a classic exfiltration technique via HTTP requests. The malware on the infected machine sends requests to the C2 server and hides the exfiltrated data in the request. The example below, taken from an analysis of the Emotet malware by Palo Alto shows that the content is encoded into the requested resource on the POST request. Once you know what to look for, it is fairly easy for security analysts, or even automated solutions, to detect such traffic.
Similarly this analysis of DNS Tunneling shows the communications with the C2 server are easily detectable with proper DNS traffic monitoring.
Esoteric channel traffic analysis
Let’s now take a look at traffic between an infected machine and a C3. For the purpose of this demonstration, I used RedditC2, by kleiton0x00 and T4TCH3R. It leverages PRAW, a python wrapper for Reddit’s API, to use Reddit channels as a communication link between the attacker and the victim machine. Other open source tools that cover additional channels exist. I will link some of them in the reference section at the end of this article.
The picture below is obtained by capturing the traffic generated on an endpoint by legitimately browsing on Reddit forums. It is simple HTTPS traffic between the endpoint and the Reddit servers, with IP 151.101.61.140 .
Now it is interesting to see what malicious traffic generated by the malware implant looks like… And there’s barely any difference, as seen below. The highlighted packet contains exfiltrated data, in this case the content of a random file, which makes it significantly bigger than the other ones. However we could imagine an improvement where heavy content gets fragmented into smaller parts.
If you were a security analyst reviewing network traffic, would you have spotted it? Let me know how!
Conclusion
This technique is not exactly new (the concept is already a few years old), but unfortunately, it continues to have a devastating impact on organizations all around the world. The cases are plethora, here are a few notable ones:
- Microsoft’s One Drive used for the compromise of a politician’s office against an espionage backdrop. I have to appreciate how they named the malware “Graphite” since it uses Microsoft Graph API…
- The SLUB backdoor exploited Slack and GitHub.
- Slack again, during the hack of an airline company
So are we doomed to be the eternal victims of cybercriminals through esoteric channels? Not quite! Stay tuned for the part 2 on what techniques defenders / blue teamers can use to detect and respond to the misuse of such common services.
Thanks for reading! Please let me know your feedback in the comments and feel free to subscribe if you like the content!
