| ID | Name |
|---|---|
| T1481.001 | Dead Drop Resolver |
| T1481.002 | Bidirectional Communication |
| T1481.003 | One-Way Communication |
Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed).
| ID | Name | Description |
|---|---|---|
| S1214 | Android/SpyAgent |
Android/SpyAgent has used the Tencent Push Notification Service to receive commands from the C2 server.[1] |
| S0310 | ANDROIDOS_ANSERVER.A |
ANDROIDOS_ANSERVER.A uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.[2] |
| S0422 | Anubis |
Anubis can retrieve the C2 address from Twitter and Telegram.[3][4] |
| S0539 | Red Alert 2.0 |
Red Alert 2.0 can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.[5] |
| S0318 | XLoader for Android |
XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.[6] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0617 | Detection of Dead Drop Resolver | AN1675 |
The defender correlates an app-attributed request to a legitimate public web platform with a subsequent outbound connection to a newly derived or previously unseen destination within a short time window. The behavior is strengthened when the initial request retrieves structured or encoded content followed by a pivot to a different domain or IP that was not previously contacted by the app, especially when occurring without user interaction, in background state, or immediately after app initialization or scheduled execution. This sequence reflects resolver retrieval followed by dynamic C2 resolution. |
| AN1676 |
The defender correlates a supervised-device or managed-app request to a legitimate web platform with a subsequent connection to a newly derived destination that is not part of the expected service interaction. Because iOS has weaker app-level telemetry, the strongest signal is a network-level sequence where a request to a known public platform is immediately followed by a connection to a different domain or IP, particularly when the device is locked, no recent user interaction occurred, and the bundle is not expected to interact with such downstream infrastructure. |