Secret communications have been around for a very long time, likely just as long as the length of time people have been communicating with each other at all. People have been secretly communicating with each other for military, political, commercial, and even personal reasons for thousands of years, regardless of whether their motivations were legitimate or malicious.
Within the last 100 years, as modern technology became one of the primary mechanisms for communication, naturally, technologies evolved to allow people and machines to communicate secretly. And within the last 40 years or so (and yes, I know this timeline is subject to debate), as both software and malware have evolved, secret communications between hardware and software systems has been used for both legitimate and malicious purposes.
No matter what time in history this communication occurred, no matter what the motivation, and no matter what technologies are being used, there have always been two complementary aspects of secret communication - the confidentiality of the information being communicated, and the covertness of the communication mechanism itself.
This post primarily deals with techniques around the covert aspects of malware communication mechanisms. However, it is worth noting that the confidentiality of information flows related to malware are equally compelling, and whole disciplines of study have evolved around those aspects. Cryptography, cryptanalysis, compression, and hashing are all examples of techniques that relate, at least peripherally, to securing information, and may be used by malware authors to attempt to maintain the confidentiality of the information they are transmitting.
Covert communications is a slightly different, and likely separate, aspect of an attack. Covert communications revolves around the idea that many attackers will try to hide the very fact that they are communicating, along with the channel involved. They may use covert communication techniques that are completely separated from the confidentiality mechanisms that they use to secure the information, and the use of one aspect does not necessarily imply the other.
So why would a threat actor or malware author attempt to conceal the communications mechanism itself? The primary reason is to avoid detection, which increases the dwell time of the malware. In essence, the longer a communication mechanism goes unnoticed, the longer the attacker’s technique or malware can persist in an environment.
In a concrete physical example, even hundreds of years ago, spies may have used code words to maintain the confidentiality of their message. Even if those code words were intercepted, the information would be useless to a person without the key to the code. Separately, if they weaved those code words into an actual story written in a book, and used the Cardan grille pictured here to call out those words by masking the page with a piece of cardboard or metal, they would have created a covert communications channel (the book) that would be less likely to be discovered, regardless of the code or message hidden on the page.
MITRE proposes Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) as a model and framework for describing the actions an adversary may take while operating within an enterprise. Let’s discuss how covert communication ties specifically to at least two of the malware attack tactics in that framework - Exfiltration and Command & Control.
Exfiltration is a tactic that the attacker uses to actually extract their desired information from the target enterprise. Many threat actors and many types of malware are focused on exfiltrating valuable information, and some may use covert communication to obfuscate their extraction mechanism.
An example of malware that uses a covert communication channel to protect its exfiltration tactics is Multigrain, a variant of the NewPosThings point-of-sale (POS) malware family. This malware looks for credit card data on POS systems, and then extracts the data via a DNS query. Since DNS queries are very common, and likely to originate from almost any commercial operating system, the presence of the query itself is not necessarily unusual. The stolen data covertly being transported inside the query (which may or may not be protected by a confidentiality mechanism) hides the actual communication mechanism itself.
As a consequence, enterprises that are losing their credit card data to threat actors using Multigrain may not even know they’ve been compromised and the dwell time of the malware increases.
Command and Control (C2) is a tactic that describes how adversaries manage their malware once it is deployed - literally, it is how they control the malware in place, and command it to take various actions. This is another essential type of communications channel that, from an attacker’s perspective, would benefit from going unnoticed.
Malware C2 protection via covert communication is a relatively common occurrence. There are many examples of malware families that obfuscate their C2 traffic in a legitimate channel or protocol such as DNS (e.g. PlugX, a variant of which was responsible for the US OPM hack) or HTTP (e.g. AridViper, an operation targeting organizations in the Middle East). A very recent example of this type of covert C2 is DNSMessenger, a fileless Powershell-based malware that uses DNS TXT queries and responses to perform command and control operations.
Again, the main consequence of this type of covert communication for C2 is that the victim enterprise may not realize that they have been compromised for an extended period of time, as was the case with OPM. As such, this type of covert communication increases the dwell time of the malware, and allows threat actors to operate longer, expanding their reach, and accomplishing more of their objectives.
Fortunately, there are defenses against malware that attempts to establish covert communications for exfiltration and C2.
Devices such as Next Generation Firewalls (NGFWs) and other specialized systems that perform deep packet inspection (DPI) can examine network traffic at various levels within a protocol to determine if there is unusual data, entropy, or size within messages or time period. The presence of these types of indicators may signal further forensic examination or incident response is needed. They may also just indicate that there is a bug in the software, or the traffic may even be legitimate, so it is best to correlate this type of forensic artifact with other information.
Next Generation Antivirus (NGAV), Endpoint Detection and Response (EDR), and other types of behavioral detection mechanisms are also useful in aiding determination of a covert communication channel. For example - if process typically never makes DNS or HTTP requests to the internet, but all of a sudden one day it starts generating these types of messages, it may deserve further scrutiny. Again, multisource confirmation of malicious activity is always good practice in this case as well.
And finally, it is important to remember that threat actors are always evolving, just as they have in the hundreds of years before information security around modern technology was even a concern. Continuous validation and identification of gaps in your security infrastructure can help you keep pace with the latest covert communication techniques, whether they be DNS exfiltration, or the latest modern version of the Cardan grille.
Visit our website for more information on how AttackIQ can help validate that your security controls are effective against covert communication techniques used for exfiltration and command and control.