A command-and-control server (C&C) is a computer that threat actors use to send instructions to compromised systems. Their goal is to direct infected devices into performing further malicious activities on the host or network.
Hackers can use C&C or C2 servers to create botnets and launch DDoS attacks, steal, delete, and/or encrypt data. Basically, a command-and-control server facilitates the communication between a threat actor and its target. The attacks are frequently executed over DNS.
In order to avoid detection, Command-and-Control servers use domain generation algorithms, so that law enforcement has a harder time trying to locate them.
According to researchers, the number of C&C servers increased by 30% in 2022. In December last year, there were over 17,000 such units, as compared to 13,629 in 2021. China owns most of them, at the moment (over 4,000), while the U.S. seconds it, with a number of 3,928 C2s.
So, since this is clearly serious business, let`s deep in and see what these command-and-control servers are all about.
How Does a Command-and-Control Server Work?
All C2s stories begin with, well, an infection. In order for the threat actor to perform a command-and-control attack, the first step is to compromise a device. It can be any kind of device that goes online: a laptop, desktop, router, smartphone, smartwatch, or any other IoT device.
Some of the most successful techniques hackers use to infect a machine are:
- Phishing – hackers send emails that determine users to click on malicious links or download infected files. They use spoofing and/ or social engineering techniques to achieve their goals.
- Malvertising – hackers inject malicious code inside digital advertisements. This makes it possible for a user to get infected even while browsing a legitimate website. Malicious ads are intensively used to spread financial malware, info-stealers, ransomware, and other threats.
- Directly installing malware on a machine through a USB stick. Connecting the device to an infected hard drive or a network drive also does the trick.
- Exploiting an unpatched vulnerability on the OS or an app can also compromise a system.
- Exploiting browser plugin security flaws.
The compromised machine used for command-and-control attacks is called a zombie.
The next step after the computer or device is infected is to establish communication with the C&C server. The malware beacons (signals) to the controlling server that it is ready to receive commands. Once the communication channel is on, the malicious actor can install additional malware on the host, exfiltrate data, and perform a lateral move to infect other network resources.
As a consequence of this kind of attack, a C2 server may be able to gain a botnet of infected machines.
Of course, hackers will do their best to evade firewall detection. So they`ll try to leverage DNS, HTTP, or HTTPS traffic in order to pass the C&C communication unnoticed.
The Three Types of Command-and-Control Botnets Architecture
As hackers are interested in creating long-term command and control infrastructures, they already tried several methods. The trick is to succeed imitating normal traffic patterns for disguising communication. Pages and photos on Social Networks can be used as a cover for C&C traffic, as well as DNS traffic, and communication networks like Tor.
Let`s now look through the three main types of C&C models:
The centralized command-and-control model the most frequently used, at the moment. Bots like AgoBot, SDBot, and RBot rely on it. In this instance, the malware on the infected machine acts as a client, asking the server for instruction from time to time. Since there is a single-source IP address, the centralized model is easy to detect and block. But threat actors do their best to evade detection. So, they`ll use redirectors, public cloud services, legitimate websites, and other tricks to cover their server.
- Peer-to-Peer (P2P)
A decentralized server uses a botnet without a master or centralized module. Although it is harder to detect, it also makes it more complicated for the threat actor to send instructions to the whole botnet. Put the Centralized and the P2P models can also be used together. Sometimes threat actors set up a centralized C&C server, but back it up with a P2P one. If the centralized C2 is found and removed, the P2P one will take its place.
This model is the hardest to detect and block. Hackers use random sources to send instructions to the infected machine or botnet. The instructions come from various, usually trusted sources: emails, social media, IRC chat rooms, CDNs, etc.
5 Common Command-and-Control Techniques Hackers Use
1. Application Layer Protocol – Threat actors use application layer protocols to avoid detection and network filtering. They circulate all communication through the protocol stream between the client and server. Here are the protocols they use:
- Mail Protocols
2. Data Encoding – Threat actors encrypt data so it will be more difficult to identify the nature of the transmission.
3. Data Obfuscation – To make it harder for security teams to intervene, hackers will use data obfuscation techniques. Their goal is to make the information as hard as possible to notice and understand. So, they may add garbage data to protocol traffic, employ steganography, or impersonate valid protocols.
4. Dynamic Resolution – In order to evade classic detection measures, hackers dynamically create links to command-and-control infrastructure. The techniques they use are:
- Fast Flux DNS
- Domain Generation Algorithms (DGAs)
- DNS Calculation
5. Encrypted Channel: In some instances, hackers use a known encryption technique to hide command and control communications. If secret keys are encoded or created inside malware configuration files, these implementations may result in reverse engineering. The two techniques hackers may use for this are
- symmetric cryptography
- asymmetric cryptography
What Are Command-and-Control Servers Used for?
There is more to what C&C servers can do besides installing malware. Basically, command-and-control servers can have two main uses. As command centers that send instructions to or receive stolen data from malware on an infected device. Or as a headquarters for infected devices that form a botnet.
However, in terms of goals, here are some of the things threat actors can achieve when they use a C2 server:
- Data exfiltration – Once the adversaries got a foothold in an infected device, it will be easy for them to exfiltrate all sorts of data from a computer or network onto the control server. Financial records, login credentials, employees’ databases, and health records are only some of the sensitive data hackers can obtain by launching a command-and-control attack. Next stop: ransomware or data leakage.
- DDoS attacks – This is one of the most frequent DNS attack types – Through DDoS attacks, adversaries succeed in disrupting online services or even putting down websites. They send a huge number of requests to an IP address and thus cause overcrowding of the server. The result is legitimate traffic will not be able to access the network.
- Restart endpoints or shut down the network – This is another way threat actors can affect a company`s daily tasks. Rebooting all devices or shutting down a hospital`s network, for example, can bring serious consequences.
- Preparing for future attacks – Sometimes, hackers manage to infect a company`s software system with malicious code. This generates a backdoor to that company`s customers’ machines. The unsuspecting users will then fall victim to spyware and other threats.
Antivirus is no longer enough to keep an organization’s systems secure.
Heimdal® Threat Prevention- Endpoint
Is our next gen proactive shield that stops unknownthreats before they reach your system.
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today30-day Free Trial. Offer valid only for companies.
How Can Heimdal® Prevent Command-and-Control Attacks?
Traffic monitoring and DNS filtering are must-have security practices against C&C attacks. These are the most important measure a company can take to prevent and spot command-and-control activities. Incoming traffic is not the only one the security team should monitor, the outgoing one is equally important.
Malicious encryption of network communication, which usually happens through DNS tunneling, and traffic to unusual destinations are two examples of suspicious activities that a professional security solution can spot and block. Automated beaconing on nonstandard ports and protocols should also be blocked.
Heimdal`s Threat Prevention – Endpoint solution is based on the DarkLayer Guardv engine, which is currently the world’s most advanced endpoint DNS threat hunting tool. This cutting-edge technology enables any company`s security team to spot processes, users, URLs, and attacker origins that might infiltrate your network.
The product also integrates the VectorN Detection AI-based traffic pattern recognition engine. Its users can easily discover hidden malware, complete autonomous of code and signatures.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.Get cybersecurity updates you\’ll actually want to read directly in your inbox.