Dead Drop Resolver

Information

• Name: Dead Drop Resolver

• ID: T1102.001

• Tactics: TA0011

• Technique: T1102

Introduction

Dead Drop Resolver (T1102.001) is a sub-technique of the MITRE ATT&CK framework under the parent technique "Web Service" (T1102). It describes adversaries' use of legitimate third-party web services to host encoded messages or instructions, often referred to as "dead drops." Attackers leverage these dead drops to deliver command and control (C2) instructions, payload data, or configuration updates. This technique allows adversaries to blend malicious traffic with legitimate web traffic, evading detection and complicating attribution efforts.

Deep Dive Into Technique

Dead Drop Resolver involves adversaries leveraging popular, legitimate web services to store encoded or encrypted information that compromised systems periodically retrieve. Key technical aspects include:

• Third-party web services: Attackers commonly exploit trusted, publicly accessible platforms such as GitHub, Pastebin, Google Docs, Dropbox, or social media platforms like Twitter.

• Encoding and encryption: Messages stored on these platforms are typically encoded (Base64, hexadecimal) or encrypted to evade detection and analysis.

• Polling mechanisms: Compromised systems periodically connect to the third-party service, retrieving instructions or updates. Polling intervals are usually randomized or scheduled to blend with normal traffic.

• Parsing and decoding: Malware or scripts on victim systems decode or decrypt the retrieved information to extract commands, configuration data, or payloads.

• Steganography: Attackers may embed instructions within images, documents, or seemingly innocuous text files hosted on legitimate web services, further obscuring their presence.

Real-world procedures often involve malware variants specifically designed to interact with well-known web services, ensuring a low-profile C2 channel that security tools struggle to detect.

When this Technique is Usually Used

Adversaries commonly use the Dead Drop Resolver technique in various attack scenarios and stages, including:

• Initial Access and Persistence: Establishing covert communication channels immediately after initial compromise to maintain long-term persistence without raising suspicion.

• Command and Control (C2): Regularly retrieving commands from hidden or encoded messages stored on legitimate websites, reducing the risk of detection compared to traditional C2 servers.

• Data Exfiltration: Embedding stolen data into encoded messages posted on trusted third-party platforms, enabling attackers to retrieve data without direct connections between victim systems and attacker infrastructure.

• Evasion and Obfuscation: Avoiding traditional security monitoring by blending malicious traffic with legitimate web traffic, thus complicating detection and attribution efforts.

• Supply Chain Attacks: Using trusted third-party services to deliver malicious payloads or configurations to multiple compromised endpoints simultaneously.

How this Technique is Usually Detected

Detection of Dead Drop Resolver techniques is challenging but achievable through various strategies and tools:

• Network Traffic Analysis:

  • Monitoring unusual outbound connections to popular third-party services at regular intervals.

  • Identifying anomalous patterns of data retrieval, such as repetitive requests to specific URLs or content updates.

• Endpoint Detection and Response (EDR):

  • Identifying suspicious processes or scripts regularly polling external services.

  • Detecting decoding or decryption activities performed by malware on endpoints.

• Web Proxy and Firewall Logs:

  • Reviewing logs for frequent or periodic access to external services not typically accessed by normal business processes.

  • Detecting abnormal HTTP methods (e.g., GET requests) or unusual user-agent strings.

• Threat Intelligence and Indicators of Compromise (IoCs):

  • Known malicious URLs or specific content uploaded to legitimate services.

  • Known malware families or scripts associated with dead drop techniques.

• Behavioral Analytics and Machine Learning:

  • Leveraging anomaly detection algorithms to identify deviations from baseline user and system behaviors.

  • Identifying unusual data transfer patterns, timing, and volumes.

Specific IoCs can include:

• URLs or domains frequently accessed by compromised hosts.

• Encoded or encrypted data stored on legitimate platforms (e.g., Pastebin, GitHub Gists).

• Known malware hashes or signatures associated with dead drop activities.

Why it is Important to Detect This Technique

Early detection of Dead Drop Resolver techniques is crucial due to the significant impacts they can have on systems and networks, including:

• Stealthy Persistence: Attackers maintain long-term, covert access, making remediation difficult and lengthy.

• Data Exfiltration Risks: Sensitive data can be exfiltrated unnoticed, potentially causing severe financial, operational, and reputational damage.

• Reduced Visibility: Malicious traffic blends with legitimate traffic, complicating incident detection and response efforts.

• Increased Attacker Flexibility: Attackers can dynamically update malware configurations and payloads without direct connections, making their operations more agile and adaptable.

• Supply Chain Compromise: Potential to spread rapidly across multiple systems, amplifying impacts and complicating remediation.

Detecting and mitigating this technique early significantly reduces the adversary's dwell time, limits potential damage, and maintains the integrity and confidentiality of critical systems and data.

Examples

Real-world examples of Dead Drop Resolver include:

• APT29 (Cozy Bear):

  • Attack Scenario: APT29 leveraged legitimate cloud services, including Twitter and GitHub, to host encoded C2 instructions.

  • Tools Used: HAMMERTOSS malware, which retrieved instructions from encoded images or text posted publicly.

  • Impacts: Persistent, stealthy communication channels allowed prolonged espionage activities, data exfiltration, and intelligence gathering.

• Turla Group (Snake/Uroburos):

  • Attack Scenario: Turla utilized compromised Instagram comments and other social media platforms to store encoded command instructions.

  • Tools Used: Custom malware capable of parsing and decoding data from social media comments.

  • Impacts: Enabled covert, persistent access and espionage operations targeting government and military institutions.

• Putter Panda:

  • Attack Scenario: The group leveraged public services such as Dropbox to store encrypted payloads and commands.

  • Tools Used: Custom backdoors retrieving and decrypting payload updates from Dropbox.

  • Impacts: Allowed sustained, stealthy espionage activities against defense contractors and technology companies.

• FIN7 Cybercrime Group:

  • Attack Scenario: FIN7 used Google Docs and Pastebin to host encoded malware configuration data.

  • Tools Used: CARBANAK malware, capable of polling and decoding instructions from legitimate web services.

  • Impacts: Facilitated large-scale financial fraud, theft of sensitive financial data, and unauthorized transactions.

These examples highlight the effectiveness and prevalence of Dead Drop Resolver techniques across diverse adversary groups, emphasizing the importance of robust detection and mitigation strategies.