# T1102.002 Bidirectional Communication

-----------------------------------------------------------------------

## Technique Description

Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. 

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. 

## Technique Detection

Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)

-----------------------------------------------------------------------

### Tactics:

  *   Command-And-Control

### Platforms:

  * Linux

  * macOS

  * Windows

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Network Traffic:** Network Connection Creation

  * **Network Traffic:** Network Traffic Content

  * **Network Traffic:** Network Traffic Flow

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used Dropbox for C2 allowing upload and download of files as well as execution of arbitrary commands.(Citation: Google Election Threats October 2020)(Citation: Zscaler APT31 Covid-19 October 2020)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used Blogspot pages for C2.(Citation: Talos Kimsuky Nov 2021)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has communicated with C2 through files uploaded to and downloaded from DropBox.(Citation: BitDefender Chafer May 2020)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used web services including OneHub to distribute remote access tools.(Citation: Anomali Static Kitten February 2021)| 
| APT37 | [APT37](https://attack.mitre.org/groups/G0067) leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware can use a SOAP Web service to communicate with its C2 server.(Citation: Unit 42 Magic Hound Feb 2017)| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.(Citation: FireEye FIN7 Aug 2018)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. [Sandworm Team](https://attack.mitre.org/groups/G0034) also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories.(Citation: Lazarus APT January 2022)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used social media platforms to hide communications to C2 servers.(Citation: ESET Dukes October 2019)| 
| Turla | A [Turla](https://attack.mitre.org/groups/G0010) JavaScript backdoor has used Google Apps Script as its C2 server.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)| 
| Carbanak | [Carbanak](https://attack.mitre.org/groups/G0008) has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.(Citation: Forcepoint Carbanak Google C2)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used Google Drive for C2.(Citation: TrendMicro Pawn Storm Dec 2020)| 
| APT12 | [APT12](https://attack.mitre.org/groups/G0005) has used blogs and WordPress for C2 infrastructure.(Citation: Meyers Numbered Panda)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1102/002)

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, SSgt Sengsouriya Kapkeo, CTR Emily Porras

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use web services for command and control to obfuscate their network activity in normal traffic.
- Turla will utilize Google Apps Script as its C2 server for it's JavaScript backdoor.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Turla | X | 1, 2 |
| APT29 | X | 4 |


## Detection Blindspots

- Sensor placement may not allow for detection of this TTP if sensor is not seeing the required traffic.
- Encrypted traffic may not allow for analysis of traffic payload. Close attention should be in analyzing the connection metadata. 
- Host network could be using Google Apps Scripts/Google docs legitimately. Also the traffic can be encrypted as well.

## Analytical References

  * [Turla Dropbox](https://olhardigital.com.br/en/2020/12/04/seguranca/grupo-hacker-russo-turla-armazenava-dados-roubados-no-dropbox/?gfetch=2020%2F12%2F04%2Fseguranca%2Fgrupo-hacker-russo-turla-armazenava-dados-roubados-no-dropbox%2F)
  * [Turla Instagram](https://www.securityweek.com/turla-malware-obtains-cc-address-instagram-comments)
  * [Turla Javascript](https://securelist.com/kopiluwak-a-new-javascript-payload-from-turla/77429/)
  * [Operation Ghost Dukes](https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf)
  * [ESET Turla Mosquito 2018 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf)
  * [Turla Mosquito - Shift Towards Generic Tools 2018 (welivesecurity)](https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Three files with the same name but a different extension (.tlb, .pdb and .tnl) in a folder of %APPDATA% can be a Turla indicator
- %APPDATA%\kb6867.bin (simplified log file) is also another indicator of Turla's presence. This is an example and should be modified. IOCs are not playbooks.

| Information | Tool | Pseudo code |
|----|----|----|
| Detect client backdoor/Install | Live Boot| System.IO.Directory::GetFiles("\\.\\pipe\\") | findstr flashplayer28_xa_install.exe |
| Detect client backdoor/Install | Autopsy | SHA1: 114c1585f1ca2878a187f1ce7079154cc60db7f5 |
| Detect client backdoor/Install | Volatility | strings <file> grep \\pipe\\flashplayer |

#### Analytic 1

  * **Information:** Information here.

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** Notes here

  * **Kibana Query:** `Query here`


-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- **_<span style="color:red">(Cthulhu) Priority of this technique should be broad C2. Focus hunt specifically non-http(s) communications. Turla is known to utilize non-http protocols.</span>_**
- Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption.
- Packet capture analysis will require SSL/TLS inspection if data is encrypted.
- Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).
- User behavior monitoring may help to detect abnormal patterns of activity
- In 2018 Turla was using a hard coded user agent, "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36". This may have been modified to assist in blending in with network traffic.

#### Analytic 1 (Turla)

  * **Information:** Identify possible use of external web services.

  * **Source:** PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** Modify query for possible use of external services being seen on the network. Turla is known to utilize common services such as Google, Dropbox, OneDrive, etc.

  * **Arkime Query:** `http.uri == [*drive.google*, *script.google*]`
  * **Kibana Query:** `http.host: *drive.google* or http.host: *script.google*`

#### Analytic 2 (Turla)

  * **Information:** Attempt to identify possible known URL structure used by Turla in the past.

  * **Source:** PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** Modify query as need to traffic identified across the network. Look for URIs that contain .php extensions and macros. 

  * **Arkime Query:** `http.uri == (*/scripts/m/query.php?id*,*script.google.com/macros/s*)`
  
  * **Kibana Query:** `http.host: */scripts/m/query.php?id* or http.host: *script.google.com/macros/s*`

#### Analytic 3

  * **Information:** Identify any successful http \[GET,POST\] requests going to an external destination

  * **Source:** PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** Filtering out known good (ex. Microsoft & McAfee) will help scope down the normal traffic

  * **Arkime Query:** `http.method == [GET, POST] && http.statuscode == 200 && ip.dst != [10/8, 192.168/16, 172.16/12]`

  * **Kibana Query <span style="color:red">(Filter out internal IPs)</span>:** `(http.method: "GET" or http.method: "POST") and http.statuscode: "200"`

#### Analytic 4

  * **Information:** Identify use of social media platforms to hide communications to C2 servers

  * **Source:** PCAP, sessions*

  * **Tool:** 'Arkime, Kibana'

  * **Notes:** Modify URIs as needed, common social media paltforms may vary by location.

  * **Arkime Query:** `http.uri == [*twitter*, *facebook*, *reddit*]`

  * **Kibana Query:** `http.host : *twitter* or http.host : *facebook* or http.host : *reddit*`