This article from FireEye
describes 4 different types of C2 traffic you might see in assembly such as
Sockets
socket()
connect()
bind()
listen()
send()
recv()
sendto()
recvfrom()
WinInet
InternetOpen()
InternetConnect()
InternetOpenURL()
HttpOpenRequest()
InternetReadFile()
InternetWriteFile()
URLMon
URLDownloadToFile()
URLDownloadToCacheFile()
URLOpenStream()
URLOpenPullStream()
Controlling Internet Explorer with COM
CoInitialize()
CoCreateInstance()
Navigate()
Navigate2()
get_Document()
So an attacker can choose any one of these groups to do their bidding.
The functions that "Send" data could be used to exfiltrate data or to ask the Command and Control server for the next instruction.
The functions that "Received" data could be used to download a new payload/more malware, or to get the next instruction from the Command and Control server.
No comments:
Post a Comment