![]() ZxShell can use ports 19 in HTTP/S communication. WIRTE has used HTTPS over ports 20 for C2. WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications. TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method. Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443. Some TrickBot samples have used HTTP over ports 4 for C2. TEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2. SUGARUSH has used port 4585 for a TCP connection to its C2. StrongPity has used HTTPS over port 1402 in C2 communication. ![]() Silence has used port 444 when sending data about the system from the client to the server. Sandworm Team has used port 6789 to accept connections on the group's SSH server. Rocke's miner connects to a C2 server using port 51640. RedLeaves can use HTTP over non-standard ports, such as 995, for C2. QuasarRAT can use port 4782 on the compromised host for TCP callbacks. PoetRAT used TLS to encrypt communications over port 143 PingPull can use HTTPS over port 8080 for C2. ĭuring Operation Wocao, the threat actors used uncommon high ports for its backdoor C2, including ports 2560. NjRAT has used port 1177 for HTTP C2 communications. MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports. Metamorfo has communicated with hosts over raw TCP on port 9999. Magic Hound malware has communicated with its C2 server over TCP ports 441 using HTTP. MacMa has used TCP port 5633 for C2 Communication. Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches. HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method. HARDRAIN binds and listens on port 443 with a FakeTLS method. GravityRAT has used HTTP over a non-standard port, such as TCP port 46769. GoldenSpy has used HTTP over ports 90 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files. įIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2. Įmotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/S. ĭerusbi has used unencrypted HTTP on port 443 for C2. ĭarkVishnya used ports 51 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2. Ĭyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic. ĭuring C0018, the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections. īendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2. īankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method. īADCALL communicates on ports 4 with a FakeTLS method. ĪPT33 has used HTTP over TCP ports 808 and 880 for command and control. Īn APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration. APT-C-36 has used port 4050 for C2 communications.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |