Description
Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.
For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as Asymmetric Cryptography.
Platforms
Mitigations (2)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
SSL/TLS InspectionM1020
SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has used TLS encrypted C2 communications including for campaigns using AsyncRAT.(Citation: Cisco Opera... |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) has used a reverse SSH shell to securely communicate with victim devices.(Citation: Sygnia VelvetA... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used SSL to connect to C2 servers.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation:... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has used HTTPS for C2 communication.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has used HTTPS for command and control.(Citation: CISA Medusa Group Medusa Ransomware March 2025... |
| G1042 | RedEcho | [RedEcho](https://attack.mitre.org/groups/G1042) uses SSL for network communication.(Citation: RecordedFuture RedEcho 2021) |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) used the [PowerExchange](https://attack.mitre.org/software/S1173) utility and other tools to create tu... |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has used the Plink utility to create SSH tunnels.(Citation: Group IB Cobalt Aug 2017) |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has used tools such as [NICECURL](https://attack.mitre.org/software/S1192) with command and control com... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) used the Plink command-line utility to create SSH tunnels to C2 servers.(Citation: FireEye FIN6 April 20... |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used the Plink utility to tunnel RDP back to C2 infrastructure.(Citation: FireEye Know Your Enemy FI... |
Associated Software (79)
| ID | Name | Type | Context |
|---|---|---|---|
| S0615 | SombRAT | Malware | [SombRAT](https://attack.mitre.org/software/S0615) can SSL encrypt C2 traffic.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHa... |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) has used a combination of a Diffie-Hellman key exchange mixed with a pre-shared key (PSK) to encry... |
| S0687 | Cyclops Blink | Malware | [Cyclops Blink](https://attack.mitre.org/software/S0687) can encrypt C2 messages with AES-256-CBC sent underneath TLS. OpenSSL library functions are a... |
| S1219 | REPTILE | Malware | [REPTILE](https://attack.mitre.org/software/S1219) can use TLS over raw TCP for secure C2.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Man... |
| S1123 | PITSTOP | Malware | [PITSTOP](https://attack.mitre.org/software/S1123) has the ability to communicate over TLS.(Citation: Mandiant Cutting Edge Part 3 February 2024) |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455)'s C2 communication has been encrypted using OpenSSL.(Citation: Medium Metamorfo Apr 2020) |
| S0018 | Sykipot | Malware | [Sykipot](https://attack.mitre.org/software/S0018) uses SSL for encrypting C2 communications.(Citation: Blasco 2013) |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) can use TLS in C2 communications.(Citation: Zscaler Bazar September 2020) |
| S0668 | TinyTurla | Malware | [TinyTurla](https://attack.mitre.org/software/S0668) has the ability to encrypt C2 traffic with SSL/TLS.(Citation: Talos TinyTurla September 2021) |
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) can send short C2 commands, up to 512 bytes, encrypted with RSA-4096.(Citation: ESET Turla Lunar t... |
| S0627 | SodaMaster | Malware | [SodaMaster](https://attack.mitre.org/software/S0627) can use a hardcoded RSA key to encrypt some of its C2 traffic.(Citation: Securelist APT10 March ... |
| S0126 | ComRAT | Malware | [ComRAT](https://attack.mitre.org/software/S0126) can use SSL/TLS encryption for its HTTP-based C2 channel. [ComRAT](https://attack.mitre.org/software... |
| S0496 | REvil | Malware | [REvil](https://attack.mitre.org/software/S0496) has encrypted C2 communications with the ECIES algorithm.(Citation: Kaspersky Sodin July 2019) |
| S0168 | Gazer | Malware | [Gazer](https://attack.mitre.org/software/S0168) uses custom encryption for C2 that uses RSA.(Citation: ESET Gazer Aug 2017)(Citation: Securelist Whit... |
| S0556 | Pay2Key | Malware | [Pay2Key](https://attack.mitre.org/software/S0556) has used RSA encrypted communications with C2.(Citation: Check Point Pay2Key November 2020) |
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can use SSL in C2 communication.(Citation: IBM Grandoreiro April 2020) |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192)'s default encryption for its C2 communication channel is SSL, but it also has transport options for RS... |
| S9023 | HiddenFace | Malware | [HiddenFace](https://attack.mitre.org/software/S9023) can use RSA-2048 in addition to symmetric algorithms in C2.(Citation: Trend Micro Earth Kasha NO... |
| S0382 | ServHelper | Malware | [ServHelper](https://attack.mitre.org/software/S0382) may set up a reverse SSH tunnel to give the attacker access to services running on the victim, s... |
| S0699 | Mythic | Tool | [Mythic](https://attack.mitre.org/software/S0699) supports SSL encrypted C2.(Citation: Mythc Documentation) |
References
- Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016.
- Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
Frequently Asked Questions
What is T1573.002 (Asymmetric Cryptography)?
T1573.002 is a MITRE ATT&CK technique named 'Asymmetric Cryptography'. It belongs to the Command and Control tactic(s). Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric c...
How can T1573.002 be detected?
Detection of T1573.002 (Asymmetric Cryptography) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1573.002?
There are 2 documented mitigations for T1573.002. Key mitigations include: Network Intrusion Prevention, SSL/TLS Inspection.
Which threat groups use T1573.002?
Known threat groups using T1573.002 include: TA2541, Velvet Ant, Tropic Trooper, RedCurl, Medusa Group, RedEcho, OilRig, Cobalt Group.