DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework
Changing the paths is likely something that an attacker will do, and this will cause some of the things we’ve previously discussed to change in the binaries and in the traffic patterns. For instance, if the getname in the DOH agent is changed, it will no longer go to 6765746e616d65 but will instead redirect to a subdomain of whatever it was changed to, converted to the hexadecimal system (an example being “trendmicroftr”, which would look like 7472656e646d6963726f667472 in the DoH query). This is one of the things that makes finding some of these red team tools increasingly more difficult since the evasion techniques are built into the options.
Each of the listeners can be updated for specific information that will change some of the paths and subdomains that are used. The TCP listener has the least number of options and as of writing, will likely be one of the easiest listeners to detect via network monitoring methods.
Detecting C&C traffic can be a difficult proposition for network defenders across the globe. Fortunately, during our investigation into DeimosC2, we have found some techniques that can be used to detect the presence of the agents communicating with the servers.
- While some network activities are dynamic, such as the inspection of the paths of the URL (as these can be changed by malicious actors while setting up the listeners), others are predictable. For example, the first 8 bytes of the TCP listener communication can be used for detection using the provided Snort rule in an intrusion detection system (IDS).
- In the case of the DoH example, if defenders are not using a service that leverages the JSON version of DoH within normal business operations, it is recommended that HTTPS to dns[.]google is blocked or at least logged. Most of the current DeimosC2 samples that leverage DoH currently use the JSON version of DoH provided by Google, which will stop this agent from working altogether.
However, it is important to remember that DeimosC2 is a post-exploitation C&C framework, and if you are seeing its traffic on your network, you have already been compromised by another means, and this is just the actor setting up persistency. If you detect DeimosC2 in your system, you should be aware there will likely be other attack tools deployed that you might not be aware of. Assuming a stance that you are already compromised also provides additional defensive options:
- Defenders should perform regular monitoring of outbound communications for top talkers. In particular, they should flag any hosts that have a significantly larger amount of data sent than during a normal monitoring period.
- Looking for communications that are new but also occur suddenly and frequently is an important part of network defense and helps not only in spotting DeimosC2 communications but also in helping spot other malware and communications that are malicious in nature early — especially if they are based on any sort of phone home or heartbeat patterns.
Although not designed to be a defensive measure, these kinds of tools can also sometimes provide an unexpected advantage for the defenders. As we mentioned, a C&C framework is meant to make the lives of penetration testers and red teamers easier through a variety of functions, such as by logging every command they run (whether this is on by default varies from framework to framework).
While non-malicious actors use these kinds of tools to enable faster report creation, if investigators are able to seize a server in which the attackers had this option configured (perhaps unknowingly), it can be a fantastic source of intelligence on the attacker’s post-compromise activities.
This report was intended to shed light on one of several C&C frameworks that criminals are using. DeimosC2 is one of the alternative tools that SOC teams will likely see being used against their networks for post-compromise activities. Over the coming months and years, we expect to see a rise in the use of many of these alternative C&C frameworks. We have already seen malicious actors switching from Cobalt Strike to these alternatives as defenders get better at identifying and blocking the communications and agents that are deployed.
It is important to remember that tools like these are dual-purpose: Their presence does not immediately indicate cybercriminal behavior since they are also popular with both internal and external penetration testers and red teams. While the red team’s role is to perform adversary simulations and work with companies to help them defend their networks from these exact same tools, it is still in the interest of network defenders to be aware of their presence. By learning how to identify and block these tools, an organization can strengthen their defensive posture and prevent attackers from pivoting within networks, exfiltrating data, or generally doing harm to enterprises.
These are IP addresses that were observed to have a DeimosC2 panel. Some of these IP addresses are likely to have been part of a red-team exercise.
IP address |
first |
last |
3.133.59.113 |
03/05/2022 |
04/09/2022 |
3.17.189.71 |
20/08/2021 |
20/08/2021 |
5.101.4.196 |
27/04/2022 |
17/09/2022 |
5.101.5.196 |
06/05/2022 |
19/09/2022 |
13.211.163.117 |
01/02/2021 |
01/08/2021 |
35.193.194.65 |
01/03/2021 |
01/03/2021 |
35.238.243.202 |
01/08/2020 |
01/09/2020 |
39.101.198.2 |
29/09/2022 |
06/10/2022 |
45.12.32.61 |
01/01/2022 |
01/01/2022 |
45.32.29.78 |
01/04/2021 |
01/07/2021 |
45.76.148.163 |
01/08/2020 |
01/08/2020 |
47.241.40.139 |
01/12/2021 |
01/01/2022 |
49.233.238.185 |
01/09/2020 |
01/09/2020 |
50.17.89.130 |
16/11/2021 |
16/11/2021 |
51.161.75.139 |
01/07/2020 |
01/07/2020 |
51.222.169.4 |
01/02/2021 |
01/02/2021 |
54.205.246.190 |
01/03/2022 |
01/03/2022 |
69.197.131.198 |
01/09/2020 |
01/09/2020 |
80.211.130.78 |
06/06/2022 |
06/06/2022 |
84.246.85.157 |
30/04/2022 |
30/04/2022 |
95.179.228.18 |
01/08/2020 |
01/09/2020 |
104.131.12.204 |
01/08/2020 |
01/09/2020 |
106.13.236.30 |
05/10/2021 |
14/11/2021 |
108.61.186.55 |
01/03/2021 |
01/04/2021 |
117.50.31.161 |
01/10/2020 |
01/10/2020 |
120.92.9.225 |
01/02/2021 |
01/02/2022 |
124.156.148.70 |
01/11/2020 |
01/02/2021 |
145.239.41.145 |
01/08/2020 |
01/09/2020 |
152.32.212.101 |
22/08/2020 |
05/09/2020 |
154.221.28.248 |
01/02/2021 |
01/02/2021 |
157.230.93.100 |
01/08/2021 |
01/08/2021 |
162.219.33.194 |
01/05/2021 |
01/04/2022 |
162.219.33.195 |
01/04/2021 |
01/03/2022 |
162.219.33.196 |
01/07/2021 |
01/04/2022 |
172.104.163.114 |
01/11/2020 |
01/05/2021 |
172.105.107.243 |
01/12/2021 |
01/12/2021 |
182.92.189.18 |
01/10/2020 |
01/01/2021 |
185.173.36.219 |
01/10/2021 |
01/10/2021 |
185.232.30.2 |
01/01/2022 |
01/03/2022 |
185.232.31.2 |
01/01/2022 |
01/03/2022 |
203.41.204.180 |
01/12/2020 |
01/12/2020 |
206.189.196.189 |
01/01/2021 |
01/01/2021 |
218.253.251.120 |
01/08/2021 |
01/09/2021 |
The details of several DeimosC2 samples observed in the wild, complete with platform, protocol, C&C server, and RSA public keys (useful for clustering behavior) can be found in this link.
This was compiled with the help of two x64dbg scripts we developed, which assist with configuration extraction.
Meanwhile, the list of Trend Micro detections can be found here.
Read More HERE