Description
Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.
Platforms
Mitigations (1)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions
Threat Groups (5)
| ID | Group | Context |
|---|---|---|
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used the Steam community page as a fallback mechanism for C2.(Citation: FireEye APT41 Aug 2019) |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the ... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046)'s Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails.(Citation: Crowdstrike GTR... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has employed layers of redundancy to maintain access to compromised environments including network de... |
Associated Software (49)
| ID | Name | Type | Context |
|---|---|---|---|
| S0044 | JHUHUGIT | Malware | [JHUHUGIT](https://attack.mitre.org/software/S0044) tests if it can reach its C2 server by first attempting a direct connection, and if it fails, obta... |
| S0211 | Linfo | Malware | [Linfo](https://attack.mitre.org/software/S0211) creates a backdoor through which remote attackers can change C2 servers.(Citation: Symantec Linfo May... |
| S0023 | CHOPSTICK | Malware | [CHOPSTICK](https://attack.mitre.org/software/S0023) can switch to a new C2 channel if the current one is broken.(Citation: ESET Sednit Part 2) |
| S0376 | HOPLIGHT | Malware | [HOPLIGHT](https://attack.mitre.org/software/S0376) has multiple C2 channels in place in case one fails.(Citation: US-CERT HOPLIGHT Apr 2019) |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) has been configured with several servers available for alternate C2 communications.(Citation: ES... |
| S0058 | SslMM | Malware | [SslMM](https://attack.mitre.org/software/S0058) has a hard-coded primary and backup C2 string.(Citation: Baumgartner Naikon 2015) |
| S0377 | Ebury | Malware | [Ebury](https://attack.mitre.org/software/S0377) has implemented a fallback mechanism to begin using a DGA when the attacker hasn't connected to the i... |
| S0017 | BISCUIT | Malware | [BISCUIT](https://attack.mitre.org/software/S0017) malware contains a secondary fallback command and control server that is contacted after the primar... |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) can use secondary C2 servers for communication after establishing connectivity and relaying victim... |
| S0476 | Valak | Malware | [Valak](https://attack.mitre.org/software/S0476) can communicate over multiple C2 hosts.(Citation: Unit 42 Valak July 2020) |
| S0085 | S-Type | Malware | [S-Type](https://attack.mitre.org/software/S0085) primarily uses port 80 for C2, but falls back to ports 443 or 8080 if initial communication fails.(C... |
| S0512 | FatDuke | Malware | [FatDuke](https://attack.mitre.org/software/S0512) has used several C2 servers per targeted organization.(Citation: ESET Dukes October 2019) |
| S9023 | HiddenFace | Malware | [HiddenFace](https://attack.mitre.org/software/S9023) can use active and passive C2 modes that use different encryption algorithms and backdoor comman... |
| S1084 | QUIETEXIT | Malware | [QUIETEXIT](https://attack.mitre.org/software/S1084) can attempt to connect to a second hard-coded C2 if the first hard-coded C2 address fails.(Citati... |
| S1019 | Shark | Malware | [Shark](https://attack.mitre.org/software/S1019) can update its configuration to use a different C2 server.(Citation: ClearSky Siamesekitten August 20... |
| S0051 | MiniDuke | Malware | [MiniDuke](https://attack.mitre.org/software/S0051) uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working.(Cit... |
| S0059 | WinMM | Malware | [WinMM](https://attack.mitre.org/software/S0059) is usually configured with primary and backup domains for C2 communications.(Citation: Baumgartner Na... |
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) can use backup C2 servers if the primary server fails.(Citation: Proofpoint Bumblebee April 2022) |
| S0401 | Exaramel for Linux | Malware | [Exaramel for Linux](https://attack.mitre.org/software/S0401) can attempt to find a new C2 server if it receives an error.(Citation: ANSSI Sandworm Ja... |
| S0629 | RainyDay | Malware | [RainyDay](https://attack.mitre.org/software/S0629) has the ability to switch between TCP and HTTP for C2 if one method is not working.(Citation: Bitd... |
References
Frequently Asked Questions
What is T1008 (Fallback Channels)?
T1008 is a MITRE ATT&CK technique named 'Fallback Channels'. It belongs to the Command and Control tactic(s). Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thre...
How can T1008 be detected?
Detection of T1008 (Fallback Channels) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1008?
There are 1 documented mitigations for T1008. Key mitigations include: Network Intrusion Prevention.
Which threat groups use T1008?
Known threat groups using T1008 include: OilRig, APT41, Lazarus Group, FIN7, UNC3886.