Malware Command and Control

November 2, 2023

The following is an overview of malware command and control and how to leverage cyber threat hunting and threat intelligence as a counter measure.

Malware is a type of harmful software that can damage computers or steal information. The term “C2C” or “C2” in the context of malware stands for “Command and Control.” Think of malware as a spy that’s been sent into a foreign country. Once the spy is in place, they need a way to communicate with their home base to receive instructions and send back any information they’ve gathered. That’s where malware command and control comes in – it’s the method that the “spy” — the malware — uses to communicate with the attacker.

So, a malware command and control server is like the home base for the malware. It’s a computer controlled by the attacker that sends commands to and receives information from the malware. This allows the attacker to control the malware remotely, telling it what to do and receiving the information it has gathered. In the realm of cyber security, one of the most intriguing aspects of malware is its ability to communicate with its attacker. This communication, often facilitated through Command and Control servers (C2C/CnC/C2), serves various purposes, from uploading stolen data to receiving new commands from the attacker. However, as network detection technologies have advanced, so too have the methods malware employs to maintain this crucial line of communication.


Innovation in Malware Communication

A decade ago, the landscape of malware communication was relatively straightforward. Malware typically communicated via IRC chat or simple HTTP communication. These methods were direct, easy to implement, and served their purpose well. However, they also had a significant drawback – they were relatively easy to detect and intercept.

As technologies like Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and next-generation firewalls became more sophisticated, they began to pose a significant threat to these simple communication methods. The interception of malware communication became not just a possibility, but a common occurrence. This presented a challenge for malware, but as we’ve seen time and again in the cyber security landscape, challenges often lead to innovation. In response to these advanced detection methods, malware has had to evolve. Today, we see malware using more complex communication mechanisms to evade detection. These include methods like HTTPS, DNS tunneling, domain generation algorithms (DGA), and even TOR.

HTTPS, for instance, allows malware to hide its communication within encrypted web traffic, making it much harder for network detection tools to identify malicious activity. DNS tunneling, on the other hand, leverages the DNS protocol to send and receive data, a method that often goes unnoticed as DNS traffic is typically not inspected as closely as web traffic.

Domain Generation Algorithms (DGA) add another layer of complexity. DGAs create a large number of domain names that malware can use to establish its C2 communication, making it incredibly difficult for defenders to block all potential C2 servers. Lastly, some malware has even begun to use TOR, a network known for providing anonymity, to conceal its communication.


Technical Details of DNS Tunneling 

Take DNS tunneling as an example. In a typical scenario, malware on an infected host generates a DNS query for a subdomain of a domain controlled by the attacker. The subdomain often encodes data that the malware wants to send to the attacker. When the DNS server controlled by the attacker receives this query, it can decode the data and send a response back to the malware, which can also encode data.

For instance, a DNS query might look like this: The data-to-send part can be encoded with information such as system details, user credentials, or other sensitive data.


Using Threat Hunting & Threat Intelligence 

Cyber threat hunting and cyber threat intelligence play crucial roles in countering these advanced communication methods. Threat hunting involves proactively searching for indicators of compromise (IoCs) within a network. In the context of advanced malware communication, threat hunters might look for unusual patterns of network traffic, such as a high volume of DNS requests to a single domain or encrypted traffic to an unknown IP address.

Cyber threat intelligence, on the other hand, involves gathering and analyzing information about existing threats to better defend against them. This could involve analyzing data from previous malware attacks to understand how they communicate and using this information to predict and prevent future attacks. For instance, if cyber threat intelligence reveals that a certain type of malware uses DNS tunneling and frequently communicates with a particular set of domains, organizations can proactively block these domains or set up alerts for when these domains are contacted.


The DeepSeas MDR+ Solution to Counter Malware

At DeepSeas, we offer a suite of advanced cyber security solutions designed to counter sophisticated malware communication methods. Our Managed Detection & Response solution, DeepSeas MDR+, provides continuous monitoring and analysis of your network traffic. This allows us to detect unusual patterns, such as a high volume of DNS requests or encrypted traffic to unknown IP addresses, which could indicate a malware communication.

Our cyber threat hunting crew at DeepSeas proactively searches for indicators of compromise within your network, ensuring that threats are identified and neutralized before they can cause significant damage. At DeepSeas, we don’t just wait for an alert – we actively look for signs of an intrusion. In addition, our threat intelligence service gathers and analyzes information about existing threats. Our in-house experts then use this knowledge to better defend your network, predicting and preventing future attacks based on behaviors of the past.

DeepSeas also provides robust IT security solutions that work in tandem with your MSP, creating an integrated plan to strengthen your security measures. We understand that each organization has unique needs and challenges, and we tailor our solutions accordingly to ensure you are well-equipped to face cyber security challenges in the future.

While malware communication methods have undoubtedly become more sophisticated, the tools and techniques we have to counter them have also advanced. By understanding these methods and leveraging cyber threat hunting and threat intelligence, we can stay one step ahead in the ever-evolving cyber security threat landscape.


This deep dive into malware command and control was written by a valued member of our DeepSeas crew,