Implant Communication

Typical communications for C2s will be over commonly used ports such as HTTPS, ICMP, or DNS. We can use these common protocols to come up with interesting methods of communication. Another option is to use public platforms and communicate through them. We can use steganography for communication through images, dead drops with something like Pastebin, or encoded YouTube comments. With mainland China targets, we run into many more roadblocks.

We can research common messaging apps and communicate through that channel, but we then run into an issue of account creation. Unless we steal an account, we will need to register an account with a phone number or find some other way to register. In trying to develop an implant for a Chinese PC, I looked at some common messaging platforms such as WeChat and QQ. It seems that WeChat would be very difficult to set up bot communication due to its crackdown on bot accounts and API limitations. QQ, on the other hand, is making it difficult to create an account without installing their app on my phone or without a Chinese phone number. In order to use NapCatQQ to build a bot, I will need to obtain an account number. So unless I can get a Chinese phone number or some other way to get an account, this is sort of a dead end. It looks like China has had real-name registration laws since 2017; meaning it’s not a platform choice, it’s a government mandate. Thus, these are likely not very common channels for C2 frameworks unless the attacker is stealing accounts and/or phone numbers—something that is out of scope for my research. Perhaps some accounts are for sale somewhere.=

Because of the Golden Shield Project, also called the Great Firewall of China, using Western apps wouldn’t work too well. Most platforms are blocked and not allowed in China without a VPN; something that wouldn’t be ideal in this situation. Some Microsoft services are made available in China - however these too seem too unreliable for communication.

A tool I found that can help us search for ‘reliable’ domains and services available in China is the following site: https://en.greatfire.org/analyzer. It would appear that the Great Firewall is not an allow list; It’s an extensive block-list. One idea that comes to mind with this is rolling domain names. However, the issue with this is attribution and URLs with random strings would stick out on a packet sniffer.

Looking at different services

I want to try to get a cloud hosting platform or something else. For this, we need an email. I’ll first try to get a Chinese email. Trying to create an account on 163.com has an issue with me being in the US. I’ll get a month of ProtonVPN and switch my area to Hong Kong. Doing so allows me to move further with account creation. Let’s try to get past the phone number verification.

• Negative. The verification requires that the user sends a text to the given number. Opposite of what we are used to. It makes these temporary phone number sites useless for account creation on what I have already tried.

Effective C2 in China requires either:

1. Profile-appropriate traffic OR
2. Protocol-level techniques like DNS that are universal.

For general-profile targets in restricted networks, protocol-level C2 (DNS, ICMP, NTP) is more viable than service-based C2 due to the combination of account barriers and traffic profiling concerns. The only issue with this is the need to host (or control) the server with a public IP. This raises an attribution concern for the attacker.

In the end, I figure that APTs would opt to steal accounts for regular communication through commonly used applications. Protocol-level comms might be used as a backup if the primary method of communication becomes unavailable. In other words; if the server fails to retrieve a beacon from an implant via QQ or other service, then it can listen on the backup protocol. If this too fails, then the server can move that implant ID to a dead list and off the active implant list. Additionally, this backup communication method must not be hard-coded.

– There must be something I’m missing