Description
Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
For example, adversaries may construct or use onion routing networks – such as the publicly available Tor network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing) Adversaries may also use operational relay box (ORB) networks composed of virtual private servers (VPS), Internet of Things (IoT) devices, smart devices, and end-of-life routers to obfuscate their operations.(Citation: ORB Mandiant)
In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., Network Devices). By leveraging Patch System Image on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the Network Boundary Bridging method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport.
Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
Platforms
Mitigations (1)
Filter Network TrafficM1037
Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting.
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has configured multi-hop proxies via ProxyChains within victim environments.(Citation: CISA GRU291... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has routed traffic over [Tor](https://attack.mitre.org/software/S0183) and VPN servers to obfuscate the... |
| G0100 | Inception | [Inception](https://attack.mitre.org/groups/G0100) used chains of compromised routers to proxy C2 communications between them and cloud service provid... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used multi-hop proxies to disguise the source of their malicious traffic.(Citation: CISA AA21-2... |
| G0085 | FIN4 | [FIN4](https://attack.mitre.org/groups/G0085) has used [Tor](https://attack.mitre.org/software/S0183) to log in to victims' email accounts.(Citation: ... |
| G0016 | APT29 | A backdoor used by [APT29](https://attack.mitre.org/groups/G0016) created a [Tor](https://attack.mitre.org/software/S0183) hidden service to forward t... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has used TOR nodes for communications.(Citation: Palo Alto Unit 42 Medusa Group Medusa Ransomwar... |
| G0030 | Lotus Blossom | [Lotus Blossom](https://attack.mitre.org/groups/G0030) has used tools such as the publicly available HTran tool for proxying traffic in victim environ... |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has utilized an ORB (operational relay box) network – consisting compromised devices such as small ... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used multi-hop proxies for command-and-control infrastructure.(Citation: CISA AA24-038A PRC ... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used [Tor](https://attack.mitre.org/software/S0183) for C2 traffic.(Citation: SymantecCar... |
Associated Software (22)
| ID | Name | Type | Context |
|---|---|---|---|
| S0276 | Keydnap | Malware | [Keydnap](https://attack.mitre.org/software/S0276) uses a copy of tor2web proxy for HTTPS communications.(Citation: synack 2016 review) |
| S0282 | MacSpy | Malware | [MacSpy](https://attack.mitre.org/software/S0282) uses [Tor](https://attack.mitre.org/software/S0183) for command and control.(Citation: objsee mac ma... |
| S0342 | GreyEnergy | Malware | [GreyEnergy](https://attack.mitre.org/software/S0342) has used [Tor](https://attack.mitre.org/software/S0183) relays for Command and Control servers.(... |
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) has used [Tor](https://attack.mitre.org/software/S0183) for C2.(Citation: NJCCIC Ursnif Sept 2016)(C... |
| S0438 | Attor | Malware | [Attor](https://attack.mitre.org/software/S0438) has used [Tor](https://attack.mitre.org/software/S0183) for C2 communication.(Citation: ESET Attor Oc... |
| S1087 | AsyncRAT | Tool | [AsyncRAT](https://attack.mitre.org/software/S1087) can proxy C2 through a [Tor](https://attack.mitre.org/software/S0183) client.(Citation: ESET Mirro... |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) can use implants on multiple compromised machines to proxy communications through its worldwide P2... |
| S0623 | Siloscape | Malware | [Siloscape](https://attack.mitre.org/software/S0623) uses [Tor](https://attack.mitre.org/software/S0183) to communicate with C2.(Citation: Unit 42 Sil... |
| S9001 | SystemBC | Malware | [SystemBC](https://attack.mitre.org/software/S9001) has used multiple proxy layers, such as SOCKS5 and [Tor](https://attack.mitre.org/software/S0183),... |
| S1100 | Ninja | Malware | [Ninja](https://attack.mitre.org/software/S1100) has the ability to use a proxy chain with up to 255 hops when using TCP.(Citation: Kaspersky ToddyCat... |
| S0183 | Tor | Tool | Traffic traversing the [Tor](https://attack.mitre.org/software/S0183) network will be forwarded to multiple nodes before exiting the [Tor](https://att... |
| S1107 | NKAbuse | Malware | [NKAbuse](https://attack.mitre.org/software/S1107) has abused the NKN public blockchain protocol for its C2 communications.(Citation: NKAbuse BC)(Cita... |
| S1144 | FRP | Tool | The [FRP](https://attack.mitre.org/software/S1144) client can be configured to connect to the server through a proxy.(Citation: FRP GitHub) |
| S0281 | Dok | Malware | [Dok](https://attack.mitre.org/software/S0281) downloads and installs [Tor](https://attack.mitre.org/software/S0183) via homebrew.(Citation: objsee ma... |
| S0687 | Cyclops Blink | Malware | [Cyclops Blink](https://attack.mitre.org/software/S0687) has used [Tor](https://attack.mitre.org/software/S0183) nodes for C2 traffic.(Citation: NCSC ... |
| S1106 | NGLite | Malware | [NGLite](https://attack.mitre.org/software/S1106) has abused NKN infrastructure for its C2 communication.(Citation: NGLite Trojan) |
| S0491 | StrongPity | Malware | [StrongPity](https://attack.mitre.org/software/S0491) can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.(Citation:... |
| S0604 | Industroyer | Malware | [Industroyer](https://attack.mitre.org/software/S0604) used [Tor](https://attack.mitre.org/software/S0183) nodes for C2.(Citation: Dragos Crashoverrid... |
| S0366 | WannaCry | Malware | [WannaCry](https://attack.mitre.org/software/S0366) uses [Tor](https://attack.mitre.org/software/S0183) for command and control traffic.(Citation: Sec... |
| S0384 | Dridex | Malware | [Dridex](https://attack.mitre.org/software/S0384) can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.(Citation: Che... |
References
- Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.
- Robert Falcone, Jeff White, and Peter Renals. (2021, November 7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Retrieved February 8, 2024.
- Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020.
Frequently Asked Questions
What is T1090.003 (Multi-hop Proxy)?
T1090.003 is a MITRE ATT&CK technique named 'Multi-hop Proxy'. It belongs to the Command and Control tactic(s). Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their netw...
How can T1090.003 be detected?
Detection of T1090.003 (Multi-hop Proxy) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1090.003?
There are 1 documented mitigations for T1090.003. Key mitigations include: Filter Network Traffic.
Which threat groups use T1090.003?
Known threat groups using T1090.003 include: Ember Bear, APT28, Inception, Leviathan, FIN4, APT29, Medusa Group, Lotus Blossom.