Understanding Command & Control (C2) Infrastructure

This knowledgebase article will give insight into:

• The definition and key features of a C2 infrastructure
• The characteristics of a C2-driven attack
• Common types of C2 malware
• Ways security teams can mitigate risks of C2-based attacks

What is a Command & Control (C2) Infrastructure?

In many ways, a command and control (C2) attack is the threat actor version of using a remote control car or drone. Attackers compromise devices, deploy malware to them, and then remotely control them to further their objectives, such as stealing sensitive data or distributing spam. Command and control (C2 or C&C) infrastructure is the technical foundation of these attacks. By understanding what C2 is and how C2-based attacks work, security teams can improve their effectiveness and reduce an attack’s impact.

“Command and control” refers to the systems that attackers use to communicate with and control the malware running on compromised devices. Through this infrastructure, they can maintain remote, covert control over the victim’s systems to coordinate additional malicious activities like:

• Deploying additional malware
• Exfiltrating data
• Controlling botnets

C2 infrastructures use various technologies to evade detection, often used as part of an advanced persistent threat (APT).

What are the Key Features of a C2 Infrastructure?

To better detect and defend against C2-based attacks, security teams should understand the infrastructure’s key features:

• Remote management: Threat actors can issue instructions and maintain remote control over compromised devices.
• Communication protocols and covert channels: Hidden or disguised channels enable attackers to operate without triggering security alerts.
• Command execution and data exfiltration: The infrastructure enables attackers to execute commands on infected machines, helping them steal sensitive information.
• Installing additional malware: Attackers can use the C2 infrastructure to install new malware on infected devices for even more control over them.
• Domain Generation Algorithms (DGAs): By creating many domain names, the attackers make tracking and blocking all malicious domains a challenge.

What are Command and Control Attacks?

In a C2-driven attack, threat actors remotely control a target network’s systems with control servers that allow them to execute various suspicious activities. The attackers use covert communication channels to coordinate with the infected machines, enabling them to maintain persistent access to compromised systems, often leading to the following consequences:

• Ransomware injection
• Financial document theft
• Business disruption
• Corporate or nation-state espionage

How do C2-driven Attacks Work?

C2-driven attacks seek to maintain control over infected devices and compromised systems so that attackers can steal information or disrupt operations. However, they are often more sophisticated than other attack types, requiring a series of coordinated steps to execute successfully.

C2 Server Setup

The C2 server is the attack’s central hub for managing and controlling compromised devices. Threat actors use the C2 servers to send commands to infected machines while receiving stolen data. The servers maintain a constant communication link with the compromise network so that attackers can execute remote commands and processes.

Initial Compromise

During the initial compromise phase, attackers gain unauthorised access to target systems. Some typical ways they gain initial access include:

• Deploying phishing attacks to trick people into providing credentials
• Exploiting vulnerabilities in software, firmware, and operating systems
• Purchasing leaked or stolen credentials on the dark web

This phase establishes a foothold so that they can further infiltrate the network.

Callback Mechanism (Command and Control Channel)

The callback mechanism, also called the C2 channel, establishes a connection between compromised devices and the C2 server, typically using common network protocols, like HTTP or HTTPS, to hide in normal traffic. Once a device has malware installed, it reaches out to the C2 server to maintain constant communications, often encrypted ones. Since callbacks use legitimate network channels, the malicious operations often remain hidden from detection.

Command Execution

Once attackers establish a C2 connection, they often send compromised devices additional instructions which is the command execution phase. Some examples of what attackers do when they can remotely control and manage compromised devices include:

• Forcing them to install additional malware payloads which extends attacker control over the system

• Using the infrastructure a hub for controlling a botnet and sending it commands from a central point to each compromised machine

• Downloading and executing ransomware and encryption keys

Through command execution, they can manipulate compromised systems to achieve additional objectives or adjust strategies.

Lateral Movement and Persistence

After gaining initial access, attackers compromise other machines and gather additional credentials. Escalating privileges, like gaining administrative access to a database, enables them to access more business-critical systems and data. As they move across the networks, they can hide from security teams more effectively, remaining undetected and expanding their influence.

Data Discovery

As attackers move laterally across networks and systems, they look for critical data, like intellectual property or financial documents. As part of this process, they map the network landscape to understand where sensitive assets reside, enabling them to focus efforts on highly rewarding data while minimizing detection.

Data Exfiltration

During data exfiltration, the C2 servers may covertly transfer data to the attackers, including:

• Intellectual property
• Personally identifiable information (PII)
• Credit card or bank account information
• Proprietary documents

Security teams often struggle to identify this data theft since the threat actors use obfuscation techniques, like encryption, to hide in regular network traffic. For financially motivated cybercriminals, these activities may be the end goal since they can sell the data on the dark web.

Coordinating Sophisticated Attacks

Since the C2 infrastructure enables persistence, attackers often use it for operations that aim to steal data or disruption systems over long periods of time. For example, they may use it to coordinate larger attacks, like:

• Supply chain attack
• Watering hole attacks targeting less secure endpoints
• Deploying rootkits

The C2 infrastructure’s ability to evade detection enables the attackers to strategically navigate and exploit the target network.

Evasion Techniques

While not a specific “attack phase,” threat actors engage in ongoing activities to maintain stealth, including:

• Domain hopping by using dynamic domain generation algorithms to create numerous domain names and complicate tracking efforts
• Encryption to make any data transfers difficult for security teams to view and mitigate
• Transferring traffic through legitimate services to blend into normal network activities

Common Types of C2 Malware

Every C2-driven attack incorporates some kind of malicious code that enables the attackers to control the compromised systems. Some of the more common malware variants include:

• Remote Access Trojans (RATs): persistent access to target networks enabling attackers to hide in malicious software like email attachments.
• Botnets: networks of infected machines used in malicious activities such as sending spam emails or launching attacks.
• Keyloggers: capturing sensitive information, like passwords or financial documents, and sending it back to the control server.
• Backdoors: providing unauthorized access to systems, allowing additional malware to spread faster.

How to Detect and Mitigate C2 Attack Risks

While attackers use C2-driven attacks and the associated infrastructure to evade detection, security teams can take some steps to help identify potential compromise and engage in proactive risk mitigation strategies.

To reduce the likelihood that threat actors can successfully deploy a C2-driven attack, organizations can implement the following risk mitigation controls:

• Patch vulnerabilities: scan for security weaknesses in operating systems, software, and firmware and apply security updates in a timely manner.
• Limit user access: apply the principle of least privilege across all user access with role-based access controls that limit user access to only resources necessary for completing job functions.
• Monitor network traffic: create network traffic baselines and monitor for abnormal activity that can indicate potential data exfiltration or remote command execution, like outbound connections to know malicious domains or IP addresses.
• Incorporate threat intelligence: leverage insight into actual attacker behavior to identify targeted technologies or vulnerabilities to prioritize monitoring and patching across them.

With VulnCheck’s Exploit Intelligence and IP Intelligence, security teams have access to the most recent threat intelligence about how attackers are acting in the real world. The VulnCheck platform offers life tracking of threat actors C2 infrastructures so that security teams can implement dynamic block lists that proactively remediate attack risk.

WIth the industry’s largest collection of exploit proof of concept code and real-world exploitation data, organizations can prioritize their vulnerability remediation activities more effectively and reduce the likelihood that threat actors can successfully deploy a C2-driven attack.