As encryption is growing, hackers are using it to hide from being detected by the current detection platforms. We see an increase in the number of sophisticated attacks that can not be detected by organisations. In the start of 2020, Chinese hackers used a very smart command and control hidden on internet storage software, the campaign used Dropbox to hide the communication. Cozy bear, the Russian hackers, also used the same techniques to hide and distribute their malware end of 2019.
From the malware author’s point of view, using a legitimate service to store and host malicious content has several benefits. One is that the legit services, in nearly all cases, use TLS by default, and as a side benefit, the malicious content can stay hidden and the malware distributor doesn’t need to obtain their own TLS certificate for their website.
The malicious use of legitimate services like Pastebin, Dropbox, or other cloud storage services has also tended to grow. In the last six months, 0.8% of the samples we surveyed communicated directly with Pastebin, including Trojans, RATs, and infostealers.
The increasing number of very sophisticated attacks using advanced techniques to hide that are impossible to detect in real time is very worrying for organisations.
A new Approach for Detection
At Barac, we are using a new approach for detecting malware and attacks on encrypted traffic without decryption and we have found a way to detect Command and Control using Man in the middle infrastructure to hide. We use a combination of Metadata combined with machine learning and abnormality detection to be able to detect hidden C&C talking to a man in the middle infrastructure, to do that we use around 200 indicators that we correlate together for high accuracy and low false-positive detection.
Understanding the Context
An important step to identify malware is to understand the context and the type of traffic that an organisation has. For example, at Barac, we have a machine learning model that is able to detect PowerShell with high accuracy. We will write a blog post on how we are able to do that using Magic !
As we work on encrypted traffic without decryption, the main detection is done using metadata information that we correlate using machine learning for accurate detection. Some of those indicators that have high importance are:
|Is_Powershell||Describe if the traffic is PowerShel or not ?||A PowerShell communicating with some of the social media or hosting service is suspicious|
|Bytes_distribution||The bytes distribution of the packets from both the server and the client for the flow||The C&C have a different structure of bytes distribution compared with normal traffic|
|Window_Lenght_Distbution||The Window Length distribution of the packets from both the server and the client for the flow||Window length differ on the flow from a normal connection to a C&C using TLS to hide|
|Packets_Distbution||The packet distribution from both the server and the client for the flow||How the packets are distributed helps in understanding the type of traffic|
|Flow_Size||The Total size of the flow||The size of the flow from both the client and server is important|
|TLS_record / Elliptic Curve||The TLS record version used and the elliptic curve used||The TLS record and the Elliptic curve can give an indicator about a C&C connecting|
For more information, please don’t hesitate to send to: firstname.lastname@example.org