Command-and-control Malware Traffic Playbook

Malicious actors operate command-and-control (C&C/C2) servers to interact with their victims’ computers. These C2 servers are intended to instruct the compromised PCs to do undesired things, such as stealing the user’s passwords, encrypting the files for ransom or attacking other computers on the network.

One of the major threats today, ransomware (Cryptolocker, Locky, Petya), also relies on C2 services for generating and storing the file encryption/decryption keys. Similarly, banking Trojans (Zeus, Dridex, Shifu) also use remote servers to collect personal and financial data from their victims.

For keeping the communication between the compromised assets and the C2 server under the radar, a covert channel needs to be established. Although different protocols can be used (e.g. IRC, DNS, ICMP), the most common one is HTTP(S). Web-based C2 channels, disguised as a browsing activity, can nicely blend into the general HTTP traffic on any infrastructure.

Because the mere presence of a covert channel is a tell-tale sign of a compromise, it makes C2 traffic an ideal candidate for identifying any affected PC. This article gives an overview of the C2 traffic identification techniques first, then discusses the common remediation strategies powered by playbooks.