Encrypted Channel: Asymmetric Cryptography, Sub-technique T1573.002 - Enterprise (original) (raw)
adbupd contains a copy of the OpenSSL library to encrypt C2 traffic.[1]
A variant of ADVSTORESHELL encrypts some C2 with RSA.[2]
APT41 DUST used HTTPS for command and control.[3]
APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS.[4]
Attor's Blowfish key is encrypted with a public RSA key.[5]
BADHATCH can beacon to a hardcoded C2 IP address using TLS encryption every 5 minutes.[6]
Bazar can use TLS in C2 communications.[7]
BISCUIT uses SSL for encrypting C2 communications.[8]
BOLDMOVE uses the WolfSSL library to implement SSL encryption for command and control communication.[9]
BRICKSTORM has communicated with C2 infrastructure via TLS.[10][11][12][13]
During C0021, the threat actors used SSL via TCP port 443 for C2 communications.[14]
Carbon has used RSA encryption for C2 communications.[15]
CASTLETAP can initiate a C2 connection over an SSL socket.[16]
CHOPSTICK encrypts C2 communications with TLS.[17]
COATHANGER connects to command and control infrastructure using SSL.[18]
Cobalt Group has used the Plink utility to create SSH tunnels.[19]
Cobalt Strike can use RSA asymmetric encryption with PKCS1 padding to encrypt data sent to the C2 server.[20]
ComRAT can use SSL/TLS encryption for its HTTP-based C2 channel. ComRAT has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.[21][22]
Covenant can utilize SSL to encrypt command and control traffic.[23]
Cyclops Blink can encrypt C2 messages with AES-256-CBC sent underneath TLS. OpenSSL library functions are also used to encrypt each message using a randomly generated key and IV, which are then encrypted using a hard-coded RSA public key.[24]
DarkWatchman can use TLS to encrypt its C2 channel.[25]
DCRAT can use certificate-based authentication for C2 servers.[26]
Doki has used the embedTLS library for network communications.[27]
Dridex has encrypted traffic with RSA.[28]
Empire can use TLS to encrypt its C2 channel.[29]
FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[30]
FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.[31]
FRP can be configured to only accept TLS connections.[32]
Gazer uses custom encryption for C2 that uses RSA.[33][34]
GoldMax has RSA-encrypted its communication with the C2 server.[35]
Gomir uses reverse proxy functionality that employs SSL to encrypt communications.[36]
Grandoreiro can use SSL in C2 communication.[37]
GreyEnergy encrypts communications using RSA-2048.[38]
GrimAgent can use a hardcoded server public RSA key to encrypt the first request to C2.[39]
Hi-Zor encrypts C2 traffic with TLS.[40]
HiddenFace can use RSA-2048 in addition to symmetric algorithms in C2.[41]
IcedID has used SSL and TLS in communications with C2.[42][43]
Indian Critical Infrastructure Intrusions
During Indian Critical Infrastructure Intrusions, RedEcho used SSL for network communication.[44]
J-magic can communicate back to send a challenge to C2 infrastructure over SSL.[45]
KEYPLUG can use TLS-encrypted WebSocket Protocol (WSS) for C2.[46]
Koadic can use SSL and TLS for communications.[47]
Kobalos's authentication and key exchange is performed using RSA-512.[48][49]
LAMEHUG can use SSH to transfer information to C2.[50]
LITTLELAMB.WOOLTEA can communicate over SSL using the private key from the Ivanti Connect Secure web server.[51]
Lumma Stealer has used HTTPS for command and control purposes.[52]
LunarWeb can send short C2 commands, up to 512 bytes, encrypted with RSA-4096.[53]
Machete has used TLS-encrypted FTP to exfiltrate data.[54]
Mango can use TLS to encrypt C2 communications.[55]
Medusa Group has used HTTPS for command and control.[56]
Metamorfo's C2 communication has been encrypted using OpenSSL.[57]
Mispadu contains a copy of the OpenSSL library to encrypt C2 traffic.[58]
Mythic supports SSL encrypted C2.[59]
NICECURL has used HTTPS for C2 communications.[4]
OilBooster can use the OpenSSL library to encrypt C2 communications.[60]
OilRig used the PowerExchange utility and other tools to create tunnels to C2 servers.[61]
During Operation Wocao, threat actors' proxy implementation "Agent" upgraded the socket in use to a TLS socket.[62]
Pay2Key has used RSA encrypted communications with C2.[63]
Penquin can encrypt communications using the BlowFish algorithm and a symmetric key exchanged with Diffie Hellman.[64]
PITSTOP has the ability to communicate over TLS.[51]
PoetRAT used TLS to encrypt command and control (C2) communications.[65]
POSHSPY encrypts C2 traffic with AES and RSA.[66]
POWERSTATS has encrypted C2 traffic with RSA.[67]
Pupy's default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES.[68]
PureCrypter can send a TLS 1.2 encrypted infection message via Discord webhook.[69]
RedCurl has used HTTPS for C2 communication.[70][71]
RedEcho uses SSL for network communication.[44]
Remcos can use TLS to encrypt C2 communication.[72]
REPTILE can use TLS over raw TCP for secure C2.[73][16]
REvil has encrypted C2 communications with the ECIES algorithm.[74]
Rising Sun variants can use SSL for encrypting C2 communications.[75]
Sagerunex uses HTTPS for command and control communication.[76]
Sardonic has the ability to send a random 64-byte RC4 key to communicate with actor-controlled C2 servers by using an RSA public key.[77]
ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP.[78]
Sliver can use mutual TLS and RSA cryptography to exchange a session key.[79][80][81][82][83]
Small Sieve can use SSL/TLS for its HTTPS Telegram Bot API-based C2 channel.[84]
SnappyTCP can use OpenSSL and TLS certificates to encrypt traffic.[85]
SodaMaster can use a hardcoded RSA key to encrypt some of its C2 traffic.[86]
SombRAT can SSL encrypt C2 traffic.[87][88][89]
StrongPity has encrypted C2 traffic using SSL/TLS.[90]
Sykipot uses SSL for encrypting C2 communications.[91]
TA2541 has used TLS encrypted C2 communications including for campaigns using AsyncRAT.[92]
TinyTurla has the ability to encrypt C2 traffic with SSL/TLS.[93]
Tor encapsulates traffic in multiple layers of encryption, using TLS by default.[94]
Trojan.Karagany can secure C2 communications with SSL and TLS.[95]
Tropic Trooper has used SSL to connect to C2 servers.[96][97]
Uroburos has used a combination of a Diffie-Hellman key exchange mixed with a pre-shared key (PSK) to encrypt its top layer of C2 communications.[98]
Velvet Ant has used a reverse SSH shell to securely communicate with victim devices.[99]
Versa Director Zero Day Exploitation
Versa Director Zero Day Exploitation used HTTPS for command and control of compromised Versa Director servers.[100]
Some Volgmer variants use SSL to encrypt C2 communications.[101]
WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit.[102]
WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.[103][104]
WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates.[105][106][107][104]
Woody RAT can use RSA-4096 to encrypt data sent to its C2 server.[108]
XTunnel uses SSL/TLS and RC4 to encrypt traffic.[109][17]
Zebrocy uses SSL and AES ECB for encrypting C2 communications.[110][111][112]