DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework

Changing the paths is likely something that an attacker will do, and this will cause some of the things we’ve previously discussed to change in the binaries and in the traffic patterns. For instance, if the getname in the DOH agent is changed, it will no longer go to 6765746e616d65 but will instead redirect to a subdomain of whatever it was changed to, converted to the hexadecimal system (an example being “trendmicroftr”, which would look like 7472656e646d6963726f667472 in the DoH query). This is one of the things that makes finding some of these red team tools increasingly more difficult since the evasion techniques are built into the options.

Each of the listeners can be updated for specific information that will change some of the paths and subdomains that are used. The TCP listener has the least number of options and as of writing, will likely be one of the easiest listeners to detect via network monitoring methods.

Detecting C&C traffic can be a difficult proposition for network defenders across the globe. Fortunately, during our investigation into DeimosC2, we have found some techniques that can be used to detect the presence of the agents communicating with the servers.

  • While some network activities are dynamic, such as the inspection of the paths of the URL (as these can be changed by malicious actors while setting up the listeners), others are predictable. For example, the first 8 bytes of the TCP listener communication can be used for detection using the provided Snort rule in an intrusion detection system (IDS).
  • In the case of the DoH example, if defenders are not using a service that leverages the JSON version of DoH within normal business operations, it is recommended that HTTPS to dns[.]google is blocked or at least logged. Most of the current DeimosC2 samples that leverage DoH currently use the JSON version of DoH provided by Google, which will stop this agent from working altogether.

However, it is important to remember that DeimosC2 is a post-exploitation C&C framework, and if you are seeing its traffic on your network, you have already been compromised by another means, and this is just the actor setting up persistency. If you detect DeimosC2 in your system, you should be aware there will likely be other attack tools deployed that you might not be aware of. Assuming a stance that you are already compromised also provides additional defensive options:

  • Defenders should perform regular monitoring of outbound communications for top talkers. In particular, they should flag any hosts that have a significantly larger amount of data sent than during a normal monitoring period.
  • Looking for communications that are new but also occur suddenly and frequently is an important part of network defense and helps not only in spotting DeimosC2 communications but also in helping spot other malware and communications that are malicious in nature early — especially if they are based on any sort of phone home or heartbeat patterns.

Although not designed to be a defensive measure, these kinds of tools can also sometimes provide an unexpected advantage for the defenders. As we mentioned, a C&C framework is meant to make the lives of penetration testers and red teamers easier through a variety of functions, such as by logging every command they run (whether this is on by default varies from framework to framework).

While non-malicious actors use these kinds of tools to enable faster report creation, if investigators are able to seize a server in which the attackers had this option configured (perhaps unknowingly), it can be a fantastic source of intelligence on the attacker’s post-compromise activities.

This report was intended to shed light on one of several C&C frameworks that criminals are using. DeimosC2 is one of the alternative tools that SOC teams will likely see being used against their networks for post-compromise activities. Over the coming months and years, we expect to see a rise in the use of many of these alternative C&C frameworks. We have already seen malicious actors switching from Cobalt Strike to these alternatives as defenders get better at identifying and blocking the communications and agents that are deployed.

It is important to remember that tools like these are dual-purpose: Their presence does not immediately indicate cybercriminal behavior since they are also popular with both internal and external penetration testers and red teams. While the red team’s role is to perform adversary simulations and work with companies to help them defend their networks from these exact same tools, it is still in the interest of network defenders to be aware of their presence. By learning how to identify and block these tools, an organization can strengthen their defensive posture and prevent attackers from pivoting within networks, exfiltrating data, or generally doing harm to enterprises.

These are IP addresses that were observed to have a DeimosC2 panel. Some of these IP addresses are likely to have been part of a red-team exercise.

IP address

first

last

3.133.59.113

03/05/2022

04/09/2022

3.17.189.71

20/08/2021

20/08/2021

5.101.4.196

27/04/2022

17/09/2022

5.101.5.196

06/05/2022

19/09/2022

13.211.163.117

01/02/2021

01/08/2021

35.193.194.65

01/03/2021

01/03/2021

35.238.243.202

01/08/2020

01/09/2020

39.101.198.2

29/09/2022

06/10/2022

45.12.32.61

01/01/2022

01/01/2022

45.32.29.78

01/04/2021

01/07/2021

45.76.148.163

01/08/2020

01/08/2020

47.241.40.139

01/12/2021

01/01/2022

49.233.238.185

01/09/2020

01/09/2020

50.17.89.130

16/11/2021

16/11/2021

51.161.75.139

01/07/2020

01/07/2020

51.222.169.4

01/02/2021

01/02/2021

54.205.246.190

01/03/2022

01/03/2022

69.197.131.198

01/09/2020

01/09/2020

80.211.130.78

06/06/2022

06/06/2022

84.246.85.157

30/04/2022

30/04/2022

95.179.228.18

01/08/2020

01/09/2020

104.131.12.204

01/08/2020

01/09/2020

106.13.236.30

05/10/2021

14/11/2021

108.61.186.55

01/03/2021

01/04/2021

117.50.31.161

01/10/2020

01/10/2020

120.92.9.225

01/02/2021

01/02/2022

124.156.148.70

01/11/2020

01/02/2021

145.239.41.145

01/08/2020

01/09/2020

152.32.212.101

22/08/2020

05/09/2020

154.221.28.248

01/02/2021

01/02/2021

157.230.93.100

01/08/2021

01/08/2021

162.219.33.194

01/05/2021

01/04/2022

162.219.33.195

01/04/2021

01/03/2022

162.219.33.196

01/07/2021

01/04/2022

172.104.163.114

01/11/2020

01/05/2021

172.105.107.243

01/12/2021

01/12/2021

182.92.189.18

01/10/2020

01/01/2021

185.173.36.219

01/10/2021

01/10/2021

185.232.30.2

01/01/2022

01/03/2022

185.232.31.2

01/01/2022

01/03/2022

203.41.204.180

01/12/2020

01/12/2020

206.189.196.189

01/01/2021

01/01/2021

218.253.251.120

01/08/2021

01/09/2021

The details of several DeimosC2 samples observed in the wild, complete with platform, protocol, C&C server, and RSA public keys (useful for clustering behavior) can be found in this link.

This was compiled with the help of two x64dbg scripts we developed, which assist with configuration extraction.

Meanwhile, the list of Trend Micro detections can be found here.

Read More HERE