Description
Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.
The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.
Platforms
Mitigations (1)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0022 | APT3 | An [APT3](https://attack.mitre.org/groups/G0022) downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the s... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used multi-stage malware components that inject later stages into separate processes.(Citat... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send dat... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.(Citation: FireEye APT41 Ma... |
Associated Software (10)
| ID | Name | Type | Context |
|---|---|---|---|
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) can use one C2 URL for first contact and to upload information about the host computer and two add... |
| S0069 | BLACKCOFFEE | Malware | [BLACKCOFFEE](https://attack.mitre.org/software/S0069) uses Microsoft’s TechNet Web portal to obtain an encoded tag containing the IP address of a com... |
| S0476 | Valak | Malware | [Valak](https://attack.mitre.org/software/S0476) can download additional modules and malware capable of using separate C2 channels.(Citation: Unit 42 ... |
| S1206 | JumbledPath | Malware | [JumbledPath](https://attack.mitre.org/software/S1206) can communicate over a unique series of connections to send and retrieve data from exploited de... |
| S0534 | Bazar | Malware | The [Bazar](https://attack.mitre.org/software/S0534) loader is used to download and execute the [Bazar](https://attack.mitre.org/software/S0534) backd... |
| S1086 | Snip3 | Malware | [Snip3](https://attack.mitre.org/software/S1086) can download and execute additional payloads and modules over separate communication channels.(Citati... |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) has used a two-tiered C2 configuration with tier one nodes connecting to the victim and tier t... |
| S0022 | Uroburos | Malware | Individual [Uroburos](https://attack.mitre.org/software/S0022) implants can use multiple communication channels based on one of four available modes o... |
| S0031 | BACKSPACE | Malware | [BACKSPACE](https://attack.mitre.org/software/S0031) attempts to avoid detection by checking a first stage command and control server to determine if ... |
| S0220 | Chaos | Malware | After initial compromise, [Chaos](https://attack.mitre.org/software/S0220) will download a second stage to establish a more permanent presence on the ... |
Frequently Asked Questions
What is T1104 (Multi-Stage Channels)?
T1104 is a MITRE ATT&CK technique named 'Multi-Stage Channels'. It belongs to the Command and Control tactic(s). Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control chann...
How can T1104 be detected?
Detection of T1104 (Multi-Stage Channels) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1104?
There are 1 documented mitigations for T1104. Key mitigations include: Network Intrusion Prevention.
Which threat groups use T1104?
Known threat groups using T1104 include: APT3, Lazarus Group, MuddyWater, APT41.