Description
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.
Platforms
Sub-Techniques (4)
Internal Proxy
T1090.002External Proxy
T1090.003Multi-hop Proxy
T1090.004Domain Fronting
Mitigations (3)
Filter Network TrafficM1037
Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting.
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versi
SSL/TLS InspectionM1020
If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.
Threat Groups (19)
| ID | Group | Context |
|---|---|---|
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used compromised devices and customized versions of open source tools such as [FRP](https:/... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034)'s BCS-server tool can create an internal proxy server to redirect traffic from the adversary-co... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors have included local UPnP RPC proxies.(Citation: ESET Turla PowerShell May 2019) |
| G0052 | CopyKittens | [CopyKittens](https://attack.mitre.org/groups/G0052) has used the AirVPN service for operational activity.(Citation: Microsoft POLONIUM June 2022) |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has used the GO Simple Tunnel (GOST) proxy tool.(Citation: JPCERT MirrorFace JUL 2024) |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has leverage NordVPN for its egress points when targeting intended victims.(Citation: MSTIC DEV-0537 ... |
| G0108 | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used [FRP](https://attack.mitre.org/software/S1144), ssf, and Venom to establish SOCKS p... |
| G1021 | Cinnamon Tempest | [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) has used a customized version of the Iox port-forwarding and proxy tool.(Citation: Sygnia Em... |
| G1019 | MoustachedBouncer | [MoustachedBouncer](https://attack.mitre.org/groups/G1019) has used a reverse proxy tool similar to the GitHub repository revsocks.(Citation: Moustach... |
| G0124 | Windigo | [Windigo](https://attack.mitre.org/groups/G0124) has delivered a generic Windows proxy Win32/Glubteta.M. [Windigo](https://attack.mitre.org/groups/G01... |
| G1005 | POLONIUM | [POLONIUM](https://attack.mitre.org/groups/G1005) has used the AirVPN service for operational activity.(Citation: Microsoft POLONIUM June 2022) |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections ... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has leveraged Astrill VPN for C2.(Citation: Recorded Future Contagious Inteview BeaverTa... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used NordVPN to proxy phishing emails, making them appear to originate from France.(Citation: ... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) adopted Cloudflare as a proxy for compromised servers.(Citation: TrendMicro EarthLusca 2022) |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has used proxy networks to hamper detection and has installed legitimate proxy tools on VMwa... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used Fast Reverse Proxy (FRP) for RDP traffic.(Citation: DFIR Phosphorus November 2021) |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used a tool called CLASSFON to covertly proxy network communications.(Citation: FireEye APT41 Aug 2019) |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used the Cloudflare Tunnel client to proxy C2 traffic.(Citation: ESET Gamaredon Sept2024) |
Associated Software (46)
| ID | Name | Type | Context |
|---|---|---|---|
| S1210 | Sagerunex | Malware | [Sagerunex](https://attack.mitre.org/software/S1210) uses several proxy configuration settings to ensure connectivity.(Citation: Cisco LotusBlossom 20... |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) can implement use of proxies to pivot traffic.(Citation: Red Canary NETWIRE January 2020) |
| S1114 | ZIPLINE | Malware | [ZIPLINE](https://attack.mitre.org/software/S1114) can create a proxy server on compromised hosts.(Citation: Mandiant Cutting Edge January 2024)(Citat... |
| S1212 | RansomHub | Malware | [RansomHub](https://attack.mitre.org/software/S1212) can use a proxy to connect to remote SFTP servers.(Citation: Group-IB RansomHub FEB 2025) |
| S0669 | KOCTOPUS | Malware | [KOCTOPUS](https://attack.mitre.org/software/S0669) has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet.(Citati... |
| S0461 | SDBbot | Malware | [SDBbot](https://attack.mitre.org/software/S0461) has the ability to use port forwarding to establish a proxy between a target host and C2.(Citation: ... |
| S0615 | SombRAT | Malware | [SombRAT](https://attack.mitre.org/software/S0615) has the ability to use an embedded SOCKS proxy in C2 communications.(Citation: CISA AR21-126A FIVEH... |
| S0040 | HTRAN | Tool | [HTRAN](https://attack.mitre.org/software/S0040) can proxy TCP socket connections to obfuscate command and control infrastructure.(Citation: Operation... |
| S1144 | FRP | Tool | [FRP](https://attack.mitre.org/software/S1144) can proxy communications through a server in public IP space to local servers located behind a NAT or f... |
| S1229 | Havoc | Malware | [Havoc](https://attack.mitre.org/software/S1229) has the ability to route HTTP/S communications through designated proxies.(Citation: Havoc Framework ... |
| S0347 | AuditCred | Malware | [AuditCred](https://attack.mitre.org/software/S0347) can utilize proxy for communications.(Citation: TrendMicro Lazarus Nov 2018) |
| S0412 | ZxShell | Malware | [ZxShell](https://attack.mitre.org/software/S0412) can set up an HTTP or SOCKS proxy.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 20... |
| S0376 | HOPLIGHT | Malware | [HOPLIGHT](https://attack.mitre.org/software/S0376) has multiple proxy options that mask traffic between the malware and the remote operators.(Citatio... |
| S0670 | WarzoneRAT | Malware | [WarzoneRAT](https://attack.mitre.org/software/S0670) has the capability to act as a reverse proxy.(Citation: Check Point Warzone Feb 2020) |
| S0508 | ngrok | Tool | [ngrok](https://attack.mitre.org/software/S0508) can be used to proxy connections to machines located behind NAT or firewalls.(Citation: MalwareBytes ... |
| S1121 | LITTLELAMB.WOOLTEA | Malware | [LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) has the ability to function as a SOCKS proxy.(Citation: Mandiant Cutting Edge Part 3 Feb... |
| S1189 | Neo-reGeorg | Malware | [Neo-reGeorg](https://attack.mitre.org/software/S1189) has the ability to establish a SOCKS5 proxy on a compromised web server.(Citation: GitHub Neo-r... |
| S0332 | Remcos | Tool | [Remcos](https://attack.mitre.org/software/S0332) uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.(Citation: Riskiq Remc... |
| S0245 | BADCALL | Malware | [BADCALL](https://attack.mitre.org/software/S0245) functions as a proxy server between the victim and C2 server.(Citation: US-CERT BADCALL) |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can use SOCKS4 and SOCKS5 proxies to connect to actor-controlled C2 servers. [BADHATCH](https://at... |
References
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.
Frequently Asked Questions
What is T1090 (Proxy)?
T1090 is a MITRE ATT&CK technique named 'Proxy'. It belongs to the Command and Control tactic(s). Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to the...
How can T1090 be detected?
Detection of T1090 (Proxy) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1090?
There are 3 documented mitigations for T1090. Key mitigations include: Filter Network Traffic, Network Intrusion Prevention, SSL/TLS Inspection.
Which threat groups use T1090?
Known threat groups using T1090 include: Volt Typhoon, Sandworm Team, Turla, CopyKittens, MirrorFace, LAPSUS$, Blue Mockingbird, Cinnamon Tempest.