RainyDay can use proxy tools including boost_proxy_client for reverse proxy functionality. QuasarRAT can communicate over a reverse proxy using SOCKS5. PoshC2 contains modules that allow for use of proxies in command and control. PLEAD has the ability to proxy network communications.
Operation Wocao has used a custom proxy tool called "Agent" which has support for multiple hops. Ngrok can be used to proxy connections to machines located behind NAT or firewalls. NETWIRE can implement use of proxies to pivot traffic. Netsh can be used to set up a proxy tunnel to allow remote host access to an infected host. KOCTOPUS has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet. Kessel can use a proxy during exfiltration if set in the configuration. HTRAN can proxy TCP socket connections to obfuscate command and control infrastructure.
HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators. HARDRAIN uses the command cmd.exe /c netsh firewall add portopening TCP 443 "adp" and makes the victim machine function as a proxy server. Green Lambert can use proxies for C2 traffic. įox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers. ĭridex contains a backconnect module for tunneling network traffic through a victim's computer. īlue Mockingbird has used frp, ssf, and Venom to establish SOCKS proxy connections. īisonal has supported use of a proxy server. īADCALL functions as a proxy server between the victim and C2 server. ĪuditCred can utilize proxy for communications. Īria-body has the ability to use a reverse SOCKS proxy module. APT41 used a tool called CLASSFON to covertly proxy network communications.
0 kommentar(er)
