There has been a spike in the use of Command and Control (C2) frameworks by cybercriminals and nation-state hackers to carry out cyberattacks. Threat actors are reportedly moving beyond the widely abused Cobalt Strike and adopting unique C2 frameworks to send commands to infected devices for launching attacks, encrypting data, and other malicious objectives.
What does the statistic say?
Researchers from Recorded Future revealed that the number of C2 servers used for launching cyberattacks has risen by 30% in 2022.
- More than 17,000 of these servers have been detected this year, which is up from 13,629 last year.
- The list is dominated by Cobalt Strike team servers, botnet families such as IcedID and QakBot, and infamous RATs such as PlugX.
- Researchers noted that botnet malware, mainly Emotet and QakBot, continued to expand their C2 infrastructure and remained prevalent throughout the year.
- Cobalt Strike is so prevalent because it is easy to use, offers a wide range of capabilities, and is still difficult to detect and remove.
The global spread
- While China hosted 4000 C2 servers, the U.S. was second with 3,928 and Hong Kong with 1451.
- The three countries accounted for 55% of all the C2 servers detected this year.
What’s the reason for the surge?
- With the rise in attention to Cobalt Strike from network defenders, attackers have been looking for alternative C2 frameworks.
- This indicates that as criminals turn to more options, it will become difficult for network defenders to defend themselves against impending attacks.
- Some of the popular alternative frameworks that have gained popularity include Brute Ratel, Silver, and DeimosC2.
Other popular C2 frameworks include
- Recently, researchers dissected the popularity of the Empire C2 framework that provided adversaries with the capability to expand their foothold in a victim’s network.
- The framework is being used by Vice Society, Wizard Spider, Turla, and Leviathan threat groups for lateral movement, credential dumping, and more.
- Apart from this, a new C2 framework called Alchimist, which is capable of targeting macOS, Windows, and Linux systems, was also detected in the wild.
- The easy-to-use framework allows its operators to generate and configure payloads that can capture screenshots remotely, perform remote shellcode execution, and run arbitrary commands.
- A spin-off Cobalt Strike, named Manjusaka, was also found being used in a campaign to target users in Tibet under the pretext of reports on Covid-19 cases.
The bottom line
Researchers predict that Cobalt Strike and botnets will continue to dominate the C2 lists in the coming year. Along with these, there will be an increase in the use of other niche C2 tools such as Silver, Alchimist, and Manjusaka. As hackers can use these C2 servers to accomplish a wide range of malicious activities, organizations must have resilient defense systems to thwart attacks in the initial stages.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/cb4f_shutterstock_2121565862.jpeg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_124888153.jpg)
