1. Home
  2. Techniques
  3. Enterprise
  4. Encrypted Channel
  5. Asymmetric Cryptography

Encrypted Channel: Asymmetric Cryptography

ID Name
T1573.001 Symmetric Cryptography
T1573.002 Asymmetric Cryptography

Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.

For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as Asymmetric Cryptography.

ID: T1573.002
Sub-technique of:  T1573
Tactic: Command and Control
Platforms: ESXi, Linux, Network Devices, Windows, macOS
Version: 1.2
Created: 16 March 2020
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
S0202 adbupd

adbupd contains a copy of the OpenSSL library to encrypt C2 traffic.[1]
S0045 ADVSTORESHELL

A variant of ADVSTORESHELL encrypts some C2 with RSA.[2]
C0040 APT41 DUST

APT41 DUST used HTTPS for command and control.[3]
G1044 APT42

APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS.[4]

S0438 Attor

Attor's Blowfish key is encrypted with a public RSA key.[5]
S1081 BADHATCH

BADHATCH can beacon to a hardcoded C2 IP address using TLS encryption every 5 minutes.[6]
S0534 Bazar

Bazar can use TLS in C2 communications.[7]
S0017 BISCUIT

BISCUIT uses SSL for encrypting C2 communications.[8]
S1184 BOLDMOVE

BOLDMOVE uses the WolfSSL library to implement SSL encryption for command and control communication.[9]
C0021 C0021

During C0021, the threat actors used SSL via TCP port 443 for C2 communications.[10]
S0335 Carbon

Carbon has used RSA encryption for C2 communications.[11]
S0023 CHOPSTICK

CHOPSTICK encrypts C2 communications with TLS.[12]
S1105 COATHANGER

COATHANGER connects to command and control infrastructure using SSL.[13]
G0080 Cobalt Group

Cobalt Group has used the Plink utility to create SSH tunnels.[14]
S0154 Cobalt Strike

Cobalt Strike can use RSA asymmetric encryption with PKCS1 padding to encrypt data sent to the C2 server.[15]
S0126 ComRAT

ComRAT can use SSL/TLS encryption for its HTTP-based C2 channel. ComRAT has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.[16][17]

S1155 Covenant

Covenant can utilize SSL to encrypt command and control traffic.[18]
S0687 Cyclops Blink

Cyclops Blink can encrypt C2 messages with AES-256-CBC sent underneath TLS. OpenSSL library functions are also used to encrypt each message using a randomly generated key and IV, which are then encrypted using a hard-coded RSA public key.[19]
S0673 DarkWatchman

DarkWatchman can use TLS to encrypt its C2 channel.[20]
S0600 Doki

Doki has used the embedTLS library for network communications.[21]
S0384 Dridex

Dridex has encrypted traffic with RSA.[22]
S0363 Empire

Empire can use TLS to encrypt its C2 channel.[23]
G0037 FIN6

FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[24]
G0061 FIN8

FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.[25]
S1144 FRP

FRP can be configured to only accept TLS connections.[26]
S0168 Gazer

Gazer uses custom encryption for C2 that uses RSA.[27][28]
S0588 GoldMax

GoldMax has RSA-encrypted its communication with the C2 server.[29]
S1198 Gomir

Gomir uses reverse proxy functionality that employs SSL to encrypt communications.[30]
S0531 Grandoreiro

Grandoreiro can use SSL in C2 communication.[31]
S0342 GreyEnergy

GreyEnergy encrypts communications using RSA-2048.[32]
S0632 GrimAgent

GrimAgent can use a hardcoded server public RSA key to encrypt the first request to C2.[33]
S0087 Hi-Zor

Hi-Zor encrypts C2 traffic with TLS.[34]
S0483 IcedID

IcedID has used SSL and TLS in communications with C2.[35][36]
C0043 Indian Critical Infrastructure Intrusions

During Indian Critical Infrastructure Intrusions, RedEcho used SSL for network communication.[37]
S1203 J-magic

J-magic can communicate back to send a challenge to C2 infrastructure over SSL.[38]
S1051 KEYPLUG

KEYPLUG can use TLS-encrypted WebSocket Protocol (WSS) for C2.[39]
S0250 Koadic

Koadic can use SSL and TLS for communications.[40]
S0641 Kobalos

Kobalos's authentication and key exchange is performed using RSA-512.[41][42]

S1121 LITTLELAMB.WOOLTEA

LITTLELAMB.WOOLTEA can communicate over SSL using the private key from the Ivanti Connect Secure web server.[43]
S1213 Lumma Stealer

Lumma Stealer has used HTTPS for command and control purposes.[44]
S1141 LunarWeb

LunarWeb can send short C2 commands, up to 512 bytes, encrypted with RSA-4096.[45]
S0409 Machete

Machete has used TLS-encrypted FTP to exfiltrate data.[46]
S1169 Mango

Mango can use TLS to encrypt C2 communications.[47]
S0455 Metamorfo

Metamorfo's C2 communication has been encrypted using OpenSSL.[48]

S1122 Mispadu

Mispadu contains a copy of the OpenSSL library to encrypt C2 traffic.[49]

S0699 Mythic

Mythic supports SSL encrypted C2.[50]

S1192 NICECURL

NICECURL has used HTTPS for C2 communications.[4]

S1172 OilBooster

OilBooster can use the OpenSSL library to encrypt C2 communications.[51]
G0049 OilRig

OilRig used the PowerExchange utility and other tools to create tunnels to C2 servers.[52]
C0014 Operation Wocao

During Operation Wocao, threat actors' proxy implementation "Agent" upgraded the socket in use to a TLS socket.[53]
S0556 Pay2Key

Pay2Key has used RSA encrypted communications with C2.[54]
S0587 Penquin

Penquin can encrypt communications using the BlowFish algorithm and a symmetric key exchanged with Diffie Hellman.[55]
S1123 PITSTOP

PITSTOP has the ability to communicate over TLS.[43]
S0428 PoetRAT

PoetRAT used TLS to encrypt command and control (C2) communications.[56]
S0150 POSHSPY

POSHSPY encrypts C2 traffic with AES and RSA.[57]
S0223 POWERSTATS

POWERSTATS has encrypted C2 traffic with RSA.[58]
S0192 Pupy

Pupy's default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES.[59]
G1039 RedCurl

RedCurl has used HTTPS for C2 communication.[60][61]
G1042 RedEcho

RedEcho uses SSL for network communication.[37]
S0496 REvil

REvil has encrypted C2 communications with the ECIES algorithm.[62]
S0448 Rising Sun

Rising Sun variants can use SSL for encrypting C2 communications.[63]
S1210 Sagerunex

Sagerunex uses HTTPS for command and control communication.[64]
S1085 Sardonic

Sardonic has the ability to send a random 64-byte RC4 key to communicate with actor-controlled C2 servers by using an RSA public key.[65]
S0382 ServHelper

ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP.[66]
S0633 Sliver

Sliver can use mutual TLS and RSA cryptography to exchange a session key.[67][68][69][70][71]
S1035 Small Sieve

Small Sieve can use SSL/TLS for its HTTPS Telegram Bot API-based C2 channel.[72]
S1163 SnappyTCP

SnappyTCP can use OpenSSL and TLS certificates to encrypt traffic.[73]
S0627 SodaMaster

SodaMaster can use a hardcoded RSA key to encrypt some of its C2 traffic.[74]
S0615 SombRAT

SombRAT can SSL encrypt C2 traffic.[75][76][77]
S0491 StrongPity

StrongPity has encrypted C2 traffic using SSL/TLS.[78]
S0018 Sykipot

Sykipot uses SSL for encrypting C2 communications.[79]
G1018 TA2541

TA2541 has used TLS encrypted C2 communications including for campaigns using AsyncRAT.[80]
S0668 TinyTurla

TinyTurla has the ability to encrypt C2 traffic with SSL/TLS.[81]
S0183 Tor

Tor encapsulates traffic in multiple layers of encryption, using TLS by default.[82]
S0094 Trojan.Karagany

Trojan.Karagany can secure C2 communications with SSL and TLS.[83]
G0081 Tropic Trooper

Tropic Trooper has used SSL to connect to C2 servers.[84][85]
S0022 Uroburos

Uroburos has used a combination of a Diffie-Hellman key exchange mixed with a pre-shared key (PSK) to encrypt its top layer of C2 communications.[86]
G1047 Velvet Ant

Velvet Ant has used a reverse SSH shell to securely communicate with victim devices.[87]
C0039 Versa Director Zero Day Exploitation

Versa Director Zero Day Exploitation used HTTPS for command and control of compromised Versa Director servers.[88]
S0180 Volgmer

Some Volgmer variants use SSL to encrypt C2 communications.[89]
S0366 WannaCry

WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit.[90]
S0515 WellMail

WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.[91][92]
S0514 WellMess

WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates.[93][94][95][92]
S1065 Woody RAT

Woody RAT can use RSA-4096 to encrypt data sent to its C2 server.[96]

S0117 XTunnel

XTunnel uses SSL/TLS and RC4 to encrypt traffic.[97][12]
S0251 Zebrocy

Zebrocy uses SSL and AES ECB for encrypting C2 communications.[98][99][100]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
M1020 SSL/TLS Inspection

SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

References

  1. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  2. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  3. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  4. Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.
  5. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  6. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
  7. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
  8. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  9. Scott Henderson, Cristiana Kittner, Sarah Hawley & Mark Lechtik, Google Cloud. (2023, January 19). Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475). Retrieved December 31, 2024.
  10. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  11. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  12. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  13. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
  14. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  15. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  16. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  17. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  18. cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.
  19. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  20. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  21. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  22. Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.
  23. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  24. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024.
  25. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  26. fatedier. (n.d.). What is frp?. Retrieved July 10, 2024.