Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Several malware variants communicate with command-and-control (C&C) servers over the BackConnect XOR protocol. A skilled attacker can take advantage of custom BackConnect messages to run a wide range of C&C commands. BackConnect messages are strong indicators of compromise and should be investigated.
Kill Chain
Risk Score
88
BackConnect XOR is a protocol that enables C&C communication for malware such as IcedID, Qakbot, and Latrodectus. After malware is installed on a device, the malware connects with an attacker-controlled C&C server on ports 443 or 8080. The attacker sends a BackConnect message to the victim. The message can contain several types of commands. Some commands transform the victim into a SOCKS proxy for malicious traffic. Other commands create a reverse shell or launch a hidden VNC remote desktop session with the victim.
