C&C Beaconing and How to Detect and Block It

Risk Factors

Likelihood

Complexity

Business Impact

C&C Beaconing

What is C&C Beaconing?

Command-and-control (C&C or C2) beaconing is a type of malicious communication between a C&C server and malware on an infected host. C&C servers can orchestrate a variety of nefarious acts, from denial of service (DoS) attacks to ransomware to data exfiltration.

Often, the infected host will periodically check in with the C&C server on a regular schedule, hence the term beaconing. This pattern can differentiate it from normal traffic because of the regularity of intervals. But beaconing on common ports and protocols (such as HTTP:80 or HTTPS:443) often obscures malicious traffic within normal traffic and helps the attacker evade firewalls. Another evasion tactic, notably used by SUNBURST, involves waiting long, randomized periods of time before communicating.

What are Botnets?

Botnets are a group of hosts infected by malware and controlled by a C&C server (though a C&C server can control things other than botnets). Those hosts can be computers, IoT devices, smart phones, or other internet-connected technologies. Beaconing is just one type of communication used between botnets and the bad actor controlling them.


Protection Against C&C Beaconing

Preventing malware in the first place can stop beaconing before it begins. Inevitably, threats will get inside the walls, making a second line of defense necessary.

These beacons signal C&C servers on a regular schedule. Security tools can look for patterns in the timing of communications (such as GET and POST requests) to detect beaconing. While malware attempts to mask itself by using some amount of randomization, called jitter, it still creates a pattern that is recognizable—especially by machine-learning detections.

Some options to mitigate C&C activity if beaconing is detected on a device:

  • Remove or disable any extraneous applications, services, and daemons on the device
  • Quarantine the device while checking for indicators of compromise, such as the presence of malware
  • Block inbound and outbound traffic from suspicious endpoints at the network perimeter
  • Implement network segmentation and the principle of least privilege on accounts to minimize the damage caused by a compromised device

C&C Beaconing History

In order to listen for beaconing (and control their botnets) bad actors used to have actual physical devices that functioned as C&C servers, but now they are more frequently ephemeral servers hidden within legitimate services. One tactic is to create a server within a legitimate cloud service. That way, the destination on outbound traffic will be an unsuspicious service.

Notable Botnets

Trickbot, first reported in 2016, is both a type of malware and a pervasive botnet sold as Malware-as-a-Service (MaaS). It uses email spam to take control of computers and is thought to be one of the most financially damaging botnets.

ZeuS, first seen in 2007, is perhaps the largest botnet with over 13 million infected hosts. It began as a banking trojan which at one point was responsible for 90 percent of all online bank fraud in the world.

Emotet, first reported in 2014, began as a banking trojan before evolving into both a botnet and a vehicle for getting other malware past defenses.