Description
Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.
External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.
Platforms
Mitigations (1)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versi
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used various tools to proxy C2 communications.(Citation: BitDefender Chafer May 2020) |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) used other victims as proxies to relay command traffic, for instance using a compromised Georgian milit... |
| G0053 | FIN5 | [FIN5](https://attack.mitre.org/groups/G0053) maintains access to victim environments by using [FLIPSIDE](https://attack.mitre.org/software/S0173) to ... |
| G0131 | Tonto Team | [Tonto Team](https://attack.mitre.org/groups/G0131) has routed their traffic through an external server in order to obfuscate their location.(Citation... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used multiple proxies to obfuscate network traffic from victims.(Citation: US-CERT FALLCHIL... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used a global service provider's IP as a proxy for C2 traffic from a victim.(Citation: FireEye A... |
| G0022 | APT3 | An [APT3](https://attack.mitre.org/groups/G0022) downloader establishes SOCKS5 connections for its initial C2.(Citation: FireEye Operation Double Tap) |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backcon... |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used a modified version of [HTRAN](https://attack.mitre.org/software/S0040) to redirect connections b... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) uses compromised residential endpoints as proxies for defense evasion and network access.(Citation: NCS... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has controlled [POWERSTATS](https://attack.mitre.org/software/S0223) from behind a proxy network t... |
Associated Software (11)
| ID | Name | Type | Context |
|---|---|---|---|
| S1084 | QUIETEXIT | Malware | [QUIETEXIT](https://attack.mitre.org/software/S1084) can proxy traffic via SOCKS.(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
| S0444 | ShimRat | Malware | [ShimRat](https://attack.mitre.org/software/S0444) can use pre-configured HTTP proxies.(Citation: FOX-IT May 2016 Mofang) |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) has a module that can proxy C2 communications.(Citation: Kaspersky QakBot September 2021) |
| S0699 | Mythic | Tool | [Mythic](https://attack.mitre.org/software/S0699) can leverage a modified SOCKS5 proxy to tunnel egress C2 traffic.(Citation: Mythc Documentation) |
| S0141 | Winnti for Windows | Malware | The [Winnti for Windows](https://attack.mitre.org/software/S0141) HTTP/S C2 mode can make use of an external proxy.(Citation: Novetta Winnti April 201... |
| S0019 | Regin | Malware | [Regin](https://attack.mitre.org/software/S0019) leveraged several compromised universities as proxies to obscure its origin.(Citation: Kaspersky Regi... |
| S0223 | POWERSTATS | Malware | [POWERSTATS](https://attack.mitre.org/software/S0223) has connected to C2 servers through proxies.(Citation: FireEye MuddyWater Mar 2018) |
| S0439 | Okrum | Malware | [Okrum](https://attack.mitre.org/software/S0439) can identify proxy servers configured and used by the victim, and use it to make HTTP requests to C2 ... |
| S9003 | evilginx2 | Tool | [evilginx2](https://attack.mitre.org/software/S9003) can route traffic via SOCKS5 and HTTP(S) proxies between an intended phishing victim's machine an... |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) has been known to reach a command and control server via one of nine proxy IP addresses. (Citation... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) InvisiMole can identify proxy servers used by the victim and use them for C2 communication.(Cita... |
References
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.
Frequently Asked Questions
What is T1090.002 (External Proxy)?
T1090.002 is a MITRE ATT&CK technique named 'External Proxy'. It belongs to the Command and Control tactic(s). Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that en...
How can T1090.002 be detected?
Detection of T1090.002 (External Proxy) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1090.002?
There are 1 documented mitigations for T1090.002. Key mitigations include: Network Intrusion Prevention.
Which threat groups use T1090.002?
Known threat groups using T1090.002 include: APT39, APT28, FIN5, Tonto Team, Lazarus Group, menuPass, APT3, Silence.