SombRAT has the ability to use an embedded SOCKS proxy in C2 communications. SDBbot has the ability to use port forwarding to establish a proxy between a target host and C2. Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally. Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying. RainyDay can use proxy tools including boost_proxy_client for reverse proxy functionality. QuasarRAT can communicate over a reverse proxy using SOCKS5. PoshC2 contains modules that allow for use of proxies in command and control. POLONIUM has used the AirVPN service for operational activity. PLEAD has the ability to proxy network communications. ĭuring Operation Wocao, threat actors used a custom proxy tool called "Agent" which has support for multiple hops.
įor Operation Sharpshooter, the threat actors used the ExpressVPN service to hide their location. Ngrok can be used to proxy connections to machines located behind NAT or firewalls. NETWIRE can implement use of proxies to pivot traffic. Netsh can be used to set up a proxy tunnel to allow remote host access to an infected host. LAPSUS$ has leverage NordVPN for its egress points when targeting intended victims. KOCTOPUS has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet. Kessel can use a proxy during exfiltration if set in the configuration. HTRAN can proxy TCP socket connections to obfuscate command and control infrastructure. HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators. HARDRAIN uses the command cmd.exe /c netsh firewall add portopening TCP 443 "adp" and makes the victim machine function as a proxy server. Green Lambert can use proxies for C2 traffic. įunnyDream can identify and use configured proxies in a compromised network for C2 communication. įox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers. Įarth Lusca adopted Cloudflare as a proxy for compromised servers. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers. ĭridex contains a backconnect module for tunneling network traffic through a victim's computer. ĬopyKittens has used the AirVPN service for operational activity. īlue Mockingbird has used frp, ssf, and Venom to establish SOCKS proxy connections. īisonal has supported use of a proxy server. īADCALL functions as a proxy server between the victim and C2 server. ĪuditCred can utilize proxy for communications. Īria-body has the ability to use a reverse SOCKS proxy module. APT41 used a tool called CLASSFON to covertly proxy network communications.
0 kommentar(er)
