Backdoors are an essential part of targeted attacks, as they allow an external threat actor to exercise control over any compromised machines. These allow the threat actor to collect information and move laterally within the targeted organization.
Our investigations into various targeted attacks have showed that a wide variety of tactics are used by backdoors to carry out their routines, as well as remain undetected by network administrators and security products. Over time, these techniques have evolved as more sophisticated defenses become available to network administrators.
Initially, all that was needed for an attacker to connect to a compromised machine was an open TCP/IP port. However, as firewalls became more commonplace, other techniques became necessary. Techniques evolved so that it would be clients first connecting to servers, since blocking outbound traffic was, initially, less common.
Over time, as the possible defenses have become more sophisticated, so have the techniques in use. For example, publicly available blogs have become command-and-control (C&C) servers of a sort:
Figure 1. Blog used for command and control (click to enlarge image)
This free “blog” contains ciphertext that, when decrypted by the backdoor, reveals the actual C&C servers. Using free services for C&C functions is not new; we noted just recently how Dropbox was being used in a similar way.
This paper titled Backdoor Use in Targeted Attacks is based on the experience we have gathered in investigating various targeted attacks. It details some of the various techniques we’ve seen in use to connect backdoors with their C&C servers. In addition. it provides IT administrators with accepted best practices to help prevent these techniques from taking root in their organizations. Other resources to help deal with targeted attacks can be found in our Threat Intelligence Resources on Targeted Attacks.