Few topics in current cybersecurity generate as much press as command and control servers (C2 servers). They enable the cybercrime that often affects companies and individuals far outside the IT industry.
As we bring machines and networks into the most intimate corners of our lives and every facet of the business, we also bring their associated threats. For example, those devices can be transformed into an army that serves others’ malicious purposes. We may have paid for the devices, but attackers often use them, without our knowledge or consent.
For that reason, learning the fundamentals and a few details about C2s benefits nearly everyone.
What Is a C2 Server?
C2 servers are the brains of the malware operation. Currently, most malware does not utilize AI – though some are already planning for that eventuality. That means most malware requires someone or something to issue commands and receive stolen data. C2s do this. They serve as attackers’ remote controls.
Whether it’s directing a botnet or transmitting stolen output to the end-user, a C2 enables communication between the attacker and the target. The target could be one device, hundreds within one system, or hundreds of thousands.
Because of this, establishing and maintaining a C2 connection is an essential step for threat actors. Without it, they’d only be able to do half their dirty job. Attackers need to execute commands to control the outcome.
Four main types of C2s are used today: a centralized server under their physical control by the attacker, bulletproof hosting, social networks, and cloud services.
Within each of these environments, C2s usually control botnets.
What’s a Botnet?
You’ve probably heard of a “botnet.” The term comes from the words “robot” and “network.” A botnet is a network of malware-infected, autonomous devices (computers, IoT devices, or smartphones) that threat actors connect through the Internet, and then use to do their bidding.
Some botnets are quite sophisticated; all vary in size and complexity.
You’ve probably heard about botnets because of their adaptability. It makes them handy tools for ransomware, rootkits, and other malware. Consequently, botnet attacks have steadily increased. Now they’re perhaps the most prevalent cybersecurity threat.
Botnets come in different forms or topologies:
• star, a centralized system with one C2 that connects to each bot in its network;
• multiserver, which for redundancy uses multiple C2s;
• hierarchical wherein multiple C2s are arranged into a tiered system that allows for bots doing different, coordinated tasks, as well as more difficult detection of its entire system;
• and random, which is often P2P/peer-to-peer, dynamic and communicates across multiple paths, making the cybersecurity team’s job much harder.
That means that C2 botnet attacks are highly resilient. And all that aforementioned variety lends itself to a variety of malicious activity – denial of service attacks, spamming, identity and data theft, brute force attacks, and traffic monitoring.
Just as we call the devices in a botnet “bots” (or “zombies”), you can call the attacker who controls them a “bot herder” or “botmaster”. As if individual bot herders didn’t pose enough threat, many are also effectively bot brokers. They rent botnets to other cybercriminals so they can gain control of compromised machines.
Shutting down these operations can be difficult, but each success brings great gains to the entire Internet community.
How to Manage Threats from C2 Servers?
Knowing C2s addresses can help protect against malicious activities and coordinated attacks. With that information, companies can block access, create alerts on their systems or investigate communications between C2s and samples.
These days, the average age of a C2 is about a month. So it’s best to stay on top of monitoring. Malware Patrol has a data feed that’s updated hourly. Using this kind of feed will keep potential targets informed and benefit their defenses.
The C2 servers may be ubiquitous, but they’re not invincible.
How Malware Patrol Can Help?
Malware Patrol offers a wide variety of C2 threat intelligence feeds for use within organizations of all sizes and industries. We verify our feeds constantly – every hour in most cases – to ensure they contain only actionable indicators that protect our customers against malware infections and data breaches.
For ease of use, we format the feeds for compatibility with the most popular security tools and platforms. To learn more or to request a free evaluation, you can contact us and our cybersecurity experts will get in touch with you.
By Tenea D. Johnson
Founder, Progress By Design