1

Investigation of Advanced Persistent Threats

Network-based Tactics, Techniques and Procedures
Almuthanna Alageel and Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
arXiv:2502.08830v1 [cs.CR] 12 Feb 2025

Abstract—The scarcity of data and the high complexity of Ad- academia, and R&D entities [3]. To create an effective APT
vanced Persistent Threats (APTs) attacks have created challenges detection strategy, it is important to examine the Tactics,
in comprehending their behavior and hindered the exploration of Techniques, and Procedures (TTPs) that have been reported by
effective detection techniques. To create an effective APT detec-
tion strategy, it is important to examine the Tactics, Techniques, the industry. These TTPs can be difficult to classify as either
and Procedures (TTPs) that have been reported by the industry. malicious or legitimate because they can cause significant
These TTPs can be difficult to classify as either malicious or overlap in features between APTs and legitimate connections
legitimate. When developing an approach for the next generation [4]. Therefore, when developing an approach for the next
of network intrusion detection systems (NIDS), it is necessary to generation of Network Intrusion Detection Systems (NIDS),
take into account the specific context of the attack explained in
this paper. it is necessary to take into account the specific context of the
In this study, we select 33 APT campaigns based on the fair attack explained in the following sections.
distribution over the past 22 years to observe the evolution of Several survey papers explain the impact of APT operations,
APTs over time. We focus on their evasion techniques and how and discuss related work. Taleb et al. [5] discuss the techniques
they stay undetected for months or years. We found that APTs used for APT beaconing detection in the literature review. Our
cannot continue their operations without C&C servers, which are
mostly addressed by Domain Name System (DNS). We identify paper investigates the techniques used from the adversary’s
several TTPs used for DNS, such as Dynamic DNS, typosquatting, point of view to evade the detection techniques. Lemay et al.
and TLD squatting. The next step for APT operators is to start [6] is the first paper to identify public reports for APTs. They
communicating with a victim. We found that the most popular categorized the technical references by threat actor, content,
protocol to deploy evasion techniques is using HTTP(S) with and type. Based on these reports, they describe 38 APT
81% of APT campaigns. HTTP(S) can evade firewall filtering
and pose as legitimate web-based traffic. DNS protocol is also campaigns across different regions. Our paper is inspired by
widely used by 45% of APTs for DNS resolution and tunneling. [6] for starting the investigation of APTs based on the technical
We identify and analyze the TTPs associated with using HTTP(S) reports. However, our profiling focuses on the techniques used
based on real artifacts. We also investigated the excessive use for C&C to evade APT detection. Based on our datasets, we
of fallback channels to evade NIDS that rely on volume-based also provide some evidence for such techniques to facilitate
features. We identify that 60.6% of APT campaigns split their
traffic over multiple IP addresses. We also highlight other TTPs the next generation of APT detection.
that can also be equipped during a campaign, such as non- Stojanovi et al. [7] discuss the models used for the APT
application protocols or data obfuscation, which are frequently lifecycle. They also identify network and system datasets
found in our analysis. In conclusion, we outline a roadmap for the for APT. Our paper considers only major models, and then
future development of next-generation APT detection systems. we use them as a taxonomy for our profiling. We collect
Our study highlights the necessity of innovative solutions to
counter evolving attack patterns, improve threat visibility, and our dataset specifically for APT campaigns related to C&C
reinforce proactive defense strategies. artifacts, as we will discuss below. Alshamrani et al. [8]
present a general attack tree model in addition to several
Index Terms—APT, Evasion techniques, Command and Con-
trol, TTP, Malware analysis. case studies for different objectives, such as stealing data
or damaging critical infrastructure. In this paper, our main
aim is to understand APT behavior based on technical reports
I. I NTRODUCTION released in the past, in addition to our technical analysis based
According to the National Institute of Standards and Tech- on our collected datasets. There are more than a hundred APT
nology (NIST) special publication (SP) 800-61 [1], an APT campaigns, according to MITRE CO. [9]. We track those with
can be defined as a highly-skilled adversary who targets high impact over 22 years. Our selection is also based on the
organizations with specified objectives with multiple attack trusted resources where they are available to provide a reliable
vectors over a long period. APTs cost the UK government analysis. Our aim is to facilitate the next generation of NIDS
and worldwide nearly GBP 27 billion annually and USD to capture these kinds of threats that not only rely on a single
1 trillion [2], respectively. The majority of objectives of technique but a planned arsenal of TTPs equipped with their
APTs are espionage, data exfiltration and damaging critical malware and operations.
infrastructure. These campaigns’ well-trained cyber security This paper aims to investigate the evasion techniques and
personnel come from military and governmental organizations, how the APT can remain undetected by NIDS for a long
time. We analyze APT campaigns using 118 technical reports APT campaigns based on a fair distribution over the past 22
and our own investigation. We find that spearphishing links years to observe the evolution of APT over time. We describe
have been consistently popular for delivering backdoors over many TTPs relevant to network security. Next, those TTPs that
the past 22 years. This highlights the need for a detective are not detailed in the industry reports from the traffic behavior
approach to defend against malicious domains. Spearphishing perspective. We resort to our datasets (Section III) to provide
attachments are also prevalent and can bypass current host- details on their behavior and how they evade network defenses
based intrusion detection. Our research examines whether in Sections VII and VIII. Finally, we discuss our findings in
APTs consist of a single malware or a diverse arsenal. We Section X.
confirm that APTs utilize multiple malware families, with Our main findings can be summarized as follows:
APT 1 alone using up to 26 different families. Many of these • APT Campaign Analysis: The study examines 33 APT
backdoors communicate with remote command and control campaigns based on 118 technical reports and real in-
servers. Detecting this malicious traffic can help identify if an vestigations, shedding light on their characteristics and
organization is under an APT campaign attack. A large ma- behaviors. It specifically focuses on the prevalent use
jority (84.8%) of APT campaigns use backdoors, while 78.7% of spearphishing links and attachments as a means of
utilize RATs, and only 6% involve botnets. This highlights the delivering backdoors, emphasizing the need for effective
heavy reliance on customized backdoors and RATs by APTs, defense against malicious domains.
with botnets being rarely used. • Malware Diversity in APTs: The paper investigates
Since our paper focuses on defending against APTs using whether APTs rely on a single type of malware or
network data, we concentrate on our findings related to popular employ a variety. By reporting the backdoors used in
protocols and TTPs used for communication with command each campaign, we confirm that APTs utilize a collection
and control servers. We observe that APT campaigns have con- of malware, with up to 26 different families employed. It
sistently employed HTTP since 2001 to evade NIDS detection. reveals that APTs primarily rely on customized backdoors
It is crucial to carefully detect malicious connections using and RATs, while botnets are seldom utilized.
the HTTP protocol, although not every single connection will • Protocol Analysis: The paper discusses the prevalent use
use it. Additionally, 81% of APT campaigns utilize HTTPS of HTTP and HTTPS protocols by APT campaigns. It
to bypass NIDS relying on HTTP plaintext features. DNS highlights the evasion tactics employed, such as using
protocols are used by 45% of APTs, while others use HTTP HTTP to bypass NIDS and relying on HTTPS to bypass
with preconfigured IP addresses. Furthermore, 24.2% of APT NIDS relying on HTTP plaintext features. The study
campaigns distribute malware through spearphishing links, also explores the use of DNS protocols and alternative
necessitating the consideration of detecting malicious URLs. protocols like SMTP, P2P, SOCKS5, SMB, and FTP.
SMTP, P2P, SOCKS5, SMB, and FTP follow as the next • TTP Analysis: The research focuses on TTPs employed
commonly used protocols. by APT campaigns. It examines data obfuscation through
To develop a reliable approach for detecting APTs, we study protocol impersonation and the utilization of fallback
their use of TTPs to bypass NIDS. APTs frequently employ channels, multi-level encryption, domain fronting, and
data obfuscation through protocol impersonation, as shown in multi-hop proxies. The paper also highlights DNS-based
Figure 14.c with the example of Mivast and Skula malware TTPs like dynamic DNS and DGA or DNS tunneling.
impersonating legitimate HTTPS. The fallback channel, used
by 60.6% of APT campaigns, divides traffic volume among
multiple command and control servers. This technique has II. H ISTORICAL P ERSPECTIVE
become increasingly popular over time to evade volume-based Since 2006, a large-scale cyber-espionage APT campaign
detection approaches. Multi-level encrypted channels, used by called APT 1, a.k.a Comment Crew, has been compromising
54.5% of APT campaigns, protect against decryption if TLS more than 140 organizations in twenty different sectors, in-
traffic is blocked. Domain fronting and multi-hop proxy are cluding state administrations, energy, health, scientific research
exploited by more than half (51.5%) of APT campaigns, while entities, aerospace, satellites, telecommunication, IT, and fi-
24.2% solely use domain fronting to conceal the location of the nancial services [3]. More than ninety organizations had failed
remote server. Other DNS-based TTPs include dynamic DNS to detect the malicious activity of APT 1 for an average of a
(27.2%) and exploitation of DGA or DNS tunneling (24.2%). year, while other organizations had been challenged to detect
This emphasizes the importance of detecting malicious do- over 40 malware families used by APT 1 for up to four years
mains and UDP-based traffic. and ten months. 87% of these organizations are headquartered
The structure of this paper can be described as follows: First, in English-speaking countries with 6.5 TB of compressed data
we explain the damage caused by APTs in the past in Section exfiltrated for more than ten months from a single organization
II. Based on that, we define the methodology that we follow without detection. The espionage operation collected business
for our investigation and the datasets we used, in Section III. plans, senior management emails, system design, simulation
We also discuss the APT lifecycle based on the literature in technologies, and user credentials. From 2011 to 2013, APT1
Section IV. To study the malicious TTPs accurately, we start expanded C&C servers to establish more than 937 with 988
with identifying the relevant information from the network FQDNs resolved with unique IP addresses and to transmit its
perspective from technical reports in Section V. We review traffic over HTTPS with thirteen different X.509 certificates
118 reports released by the industry since 2001. We select 33 [3].

2
 From the beginning of 2007 until September 2014, APT [21] define one primary difference that makes APT malware
28, a.k.a Fancy Bear, scanned 1.7 million vulnerable IPs in different from Botnet. While the former’s purpose is cyber
Ukraine alone against several sectors such as government espionage or data exfiltration, the latter is destruction, such as
entities, telecommunication, and aerospace companies [10]. denial of service attacks. On the other hand, Vormayr et al.
The same campaign was famous for espionage against the [22] describe Blackenergy, Duqu 2.0, and Regin as Botnet and
Georgian military and other Eastern European states. The APT alongside Conficker and Phatbot with a minor difference
campaign had been successfully hidden from detection by in whether the attack is targeted or not.
mimicking legitimate domains, frequently updating to open Ussath et al. [23] confirm that APT is a campaign and
C&C multichannel using DGA for its Fall-back Channels [11]. present a survey of APT campaigns based on 22 reports in
In mid-2009, the Operation Aurora campaign targeted more terms of initial compromise methods, their lateral movement
than 34 organizations, including Yahoo, Symantec, Morgan techniques and C&C protocols used to transmit the C&C pay-
Stanely, and Google, that could not detect the infiltration loads. However, details on C&C protocols and other settings
for over six months [2]. Another campaign called APT 32, are not available, as we will discuss in this paper. Authors
a.k.a OceanLotus or Operation Cobalt Kitty, delivered fileless in [24] provide an analysis of 4 campaigns with respect to
payloads, i.e. in-memory, to hide their traces from forensics each stage of the Cyber Kill Chain model, without focusing
engineers [12]. The operation transferred 46 binary files and on persistent and evasion properties, a wide range of protocols
24 scripts via several C&C channels, including Denis and and a variety of channels. This leads us to limit our analysis
Goopy Trojan, PowerShell script and outlook macro back- to the network level of an APT campaign to illustrate how
doors, Cobalt Strike, Don’t-Kill-My-Cat evasion tool, custom persistent, evasive and stealthy APT traffic is, and how we can
NetCat and IP tools [13]. The stealthy C&C channel operated design a robust network-based intrusion detection accordingly.
over DNS tunneling to evade both NIDS and Firewalls [12]. Last but not least, the primary source of information comes
Undetected for over seven years [14], a well-resourced from industry, due to the relative monopoly on information
cyberespionage group called APT 29, a.k.a CozyDuke, was related to APT campaigns. According to Lemay et al., [6],
found to infiltrate the US White House successfully, in addition there is no alternative to industrial resources on this topic
to defense, energy, and financial institutions in Western Europe because targeted organizations request forensics services from
and China [15] at the end of 2015. APT 29 is known for industrial labs, who might publish this confidential information
deploying many malware toolsets, most of which belong to upon the client’s permission.
the Duke malware family [14]. APT 3, a.k.a Buckeye, has Our investigation in this paper relies on published works by
been targeting nearly 84 organizations, including government scholars and covers those reports released by practitioners in
departments in the US, the UK, and Hong Kong, in low and major security vendors. In addition, we confirm our analysis
slow mode since 2009 [16]. The campaign employed zero-day with the dataset we collected to identify and explain TTPs
exploits through spearphishing to drop a remote access Trojan based on the artifacts.
called Pirpi [16]. APT 3 is known to employ a vast arsenal
The datasets we collected and used in this paper are
of malware and TTP, including Remote Access Tools (RAT),
summarized as follows:
backdoors, keyloggers and Lazagne to extract passwords from
the current application and exfiltrate all data back to C&C • Industry Reports Public Information (IRPI): In this
server [16]. dataset, we collect the related information for APTs
Another stealthy and extremely successful campaign [17] is across 33 campaigns for the last 22 years. We selected
called Wekby or APT 18. The operation started in 2009 and these campaigns based on two factors: the fair distribution
has been known to use DNS as a medium to communicate with for the evolution of APTs across 22 years. Second, the
C&C servers via HTTPBrowser, gh0st RAT, and Pisloader availability of data from industry vendors. For the latter
for over six years without detection [18]. Another cyber espi- one, when we collect data for several campaigns for the
onage, APT 37, utilized many zero-day vulnerabilities through same timeframe, we choose the one that causes major
spearphishing links or attachments, strategic web compromise damage, which, consequently, produces several public
(SWC), and Torrent file-sharing from 2012 until 2018 in industry reports.
support of military activities of the state against South Korea, • APT, Phishing and Legitimate Domains (HEALP) [25]:
Japan, and the Middle East [19]. The campaign delivered Based on 118 reports, we collect xxx domains. We also
different malware families, including SLOWDRIFT, KARAE track their historical WHOIS and DNS resource records
and POORAIM malware and TTP toolsets to exfiltrate highly using SecurityTrail. We aim to identify the common
classified data to cloud services and then to wipe the master characteristics of APT campaigns in different regions.
boot record (MBR) of the organization’s data center [19]. Then, we aim to analyze the techniques that have shifted
over 22 years so we can find the weakest spot in our
defenses and expect the next potential attacks.
III. M ETHODOLOGY
• APT, Botnets and Legitimate traffics (APTrace) [4]: This
Several researchers argue whether APT is a special case traffic is based on HTTP(S) connections that are used by
of a multi-stage attack or another malware family. Accord- live APT, botnets, and legitimate traffic.
ing to Khattak et al. [20], Aurora was a specialized botnet • Malware Capture Facility Project (MCFP) based on the
with a cyber espionage objective against Google. Zhao et al. complication of [4]:

3
 describes APTs in seven phases in one direction for one time,
as depicted in Figure 2.

Models Discussion
APT Lifecycle and
Cyber Kill Chain starts with the reconnaissance stage, which

APT Lifecycle

Study Requirements
includes passive reconnaissance, scanning and enumeration.

Motiviation and
Then, the adversary starts developing malware and coupling
it with exploits in the weaponisation stage. The malicious
payload is then attached to a medium at the delivery stage,
whether that medium could be a malicious link to a website
that hosts the malicious payload or attached with a file,

Perspective
Historica
APT Analysis

e.g. PDF or MS Word. When a target is vulnerable to that

exploitation (stage 4), an installer component attached to
malware tends to establish a backdoor at stage five and be
able to communicate back with the threat actor through the
C&C server in stage six. The last stage is where the action
can be made, which varies according to the APT objectives
from the beginning, including espionage, data exfiltration and
Industry Reports

Datasets
Evidence-based

disruption. Hutchins et al. recommend a matrix of security

Data

measures against each stage, including detection, prevention,

disruption, degrading, and deceiving, with respect to stage
order. We illustrate in Figure 2 a course of action in terms
of detective controls recommended by the authors [26].
and Discussion
Traffic-basaed TTPs

DNS-basaed TTPs

Protocols Usage

Delivery Method

B. Mandiant Attack Model

TTPs Usages

Resuls

Mandiant Attack Model is proposed by FireEye to analyze

APT 1 [3]. The model is adopted by many researchers,
including [32], [33]. This section will highlight the similarities
and differences between the Mandiant and Cyber Kill Chain
Figure 1: Methodology. Models.
The Mandiant model begins with initial reconnaissance,
which matches the first stage on the Cyber Kill Chain. Then,
• APT, Botnets and Legitimate traffic (APTracePluse): in a threat actor initially compromises a host in stage 2, which
this dataset, we extend the dataset based on [4] to include matches stages 3-5 in the Cyber Kill Chain, i.e. delivery,
protocols used beyond HTTP(S) such as Raw TCP and exploitation and installation. It is worth noting that Mandiant
UDP, which are popular as we found in Section V. does not consider weaponisation as well as merging three
stages from the Cyber kill chain into one stage. This is because
IV. APT L IFECYCLE Mandiant focuses on defense strategy more than considering
the full picture from the adversary’s perspective. Next, the
Understanding how an APT campaign behaves from the adversary establishes a foothold once a backdoor is already
first day until the mission is accomplished can be crucial installed, which is equivalent to C&C - stage six - in Cyber
in identifying the attack surface at each stage and provide Kill Chain.
deep insight for our profiling. This also helps in extracting the
relative information for C&C stage and TTPs used to evade Command
Command andand Action on
Action on
Reconnaissance
Reconnaissance Weaponization
Weaponization Delivery
Delivery Exploitation
Exploitation Installation
Installation
Control (C&C) Objectives
Control (C&C) Objectives
detection. Lockheed Martin Cyber Kill Chain® is considered as
the first model that was able to describe APT proposed in 2011
HIDS
HIDS
Web
WebAnalytics
Analytics Vigilant User
Vigilant User HIDS
HIDS HIDS
HIDS NIDS
NIDS Audit Log
Audit Log
[26]. Cyber Kill Chain® is then followed by Mandiant and NIDS
NIDS

MITRE ATT&CK, both of which are increasingly accepted

among the research community. However, there are two further Figure 2: Lockheed Martin Cyber Kill Chain detective controls
models proposed by Vries et al. [27] and Attack Pyramid by [26].
Giura and Wang [28], each of which describes an APT as a
normal attack lifecycle without any APT propriety, therefore, The next four stages are performed n times by the adversary
we omit these two models from our discussion for the brevity. until an organization takes defensive action upon detecting
the malicious activities. The first stage of the n cycle stages
is privilege escalation, where an adversary either delivers
A. Lockheed Martin Cyber Kill Chain® another zero-day exploit or passes the hash to take over a
Hutchins et al. propose Cyber Kill Chain [26], which is root account, for instance. Next, the adversary uses built-in
part of a broader Intelligent Driven Defense framework funded operating system commands or a custom one to understand the
and adopted by Lockheed Martin [26]. The model is widely local environment intellectually. The adversary moves around
adopted by several papers, including [24], [29], [30], [31]. It the network as a privileged and legitimate user who can evade

4
all detective controls. The adversary can then launch an OS
scheduler, a persistent technique in the following stage, to 40
install further backdoors or to exfiltrate data according to a 35
specific schedule in the final stage as depicted in Figure 3.

Number of techniques
30
The iterative cycle might be conducted multiple times in order
to open fall-back channels and maintain APT persistence. 25

20

15
Maintain
Move
Persistance
Laterally
10

Internal 0

Execution

Persistence

Collection
Reconnaissance

Resource Development

Initial Access

Defense Evasion

Discovery

Lateral Movement

C&C

Exfiltration

Impact
Privilage Escalation

Credential Access
Initial Initial Establish Escalate Recon. Complete
Recon Compromise Foothold Privileges Mission

Figure 3: Mandiant attack model [3].

Technique stage

C. ATT&CK TM
Model Figure 4: MITRE ATT&CK techniques per stage.
While Cyber Kill Chain and Mandiant APT attack models
are presented in an abstract view and are focused on the lifecy-
Mandiant fits for research that focuses on host intrusion
cle of an APT campaign, MITRE ATT&CK presents a matrix
detection and endpoint protection more than the network
for enterprise to describe Tactics, Techniques and Procedures
perspective. This is because the Mandiant attack model does
(TTP) of an APT campaign. The matrix and its TTPs are
not explicitly describe C&C stage, as we can see from Figure
based on the observation of tens APT campaigns [9]. The
3, which is our scope in this paper. As regards to ATT&CK
TTP are presented across twelve stages as depicted in Figure
Matrix, it does adopt a lifecycle scheme. Instead, a pool of
4. The total number of TTPs is 130, which an APT can select
TTPs is presented in a concrete way and lacks abstraction for
from such a pool. For example, APT 1 used 22 TTPs across
future TTP.
all stages. It is worth paying attention to the new stages not
It is important to include in the APT models how their
presented by other models, such as defense evasion, credential
custom malware operates once it infects the victim. APT
access, discovery, and collection. The defense evasion stage
malware are those malicious tools known to be used by APT
covers evasion techniques from the hardware to the application
campaigns. They usually do not participate in DDoS attacks,
level. However, our analysis in Section V leads to an expanded
sending spam or propagating to other hosts to spread infections
view of network evasion techniques based on our observations.
[34]. APT malware is classified as targeted malware with
Internal reconnaissance in other models is divided here into
different functions to communicate with C&C. For instance, a
discovery and collection, where the former represents an early
RAT is typically composed of a builder, stub, and controllers.
stage of internal reconnaissance and the latter refers to the
The builder initiates a new instance stub upon the infection.
late one where accounts, files, and emails, for example, are
The stub stays on the victim with preconfigured FQDN or
collected and sent back to C&C servers in C&C stage.
IP to communicate to RAT’s controller placed at the C&C
As we can notice from the description above and shown in
server [35]. Trojans, spyware, and keyloggers may also be
Figure 4, the matrix presents the TTP with respect to each
composed to connect C&C at a low profile. However, some
stage, but the stages are not chained to form a lifecycle.
malware, such as DarkCommet, includes these functions in
Therefore, ATT&CK Matrix might be used as a companion
one ecosystem [34], which may capture the audio, explore files
and a pool of TTPs to other lifecycle models to overcome the
and drop malicious tools through visiting URLs [36]. Griffon,
absence of subsequent behavior of an APT in order to provide
used by FIN 7, can gather information, load Meterpreter, and
proper security measures.
take screenshots [37].
Once APT actors drop malware on infected hosts, they
D. Discussion on APT Models may be inactive instantly. Several malicious activities can
We note that Cyber Kill Chain takes the full picture from the be done automatically before the APT actors control the
adversary’s point of view. For instance, stages 1-4 are out of victim. For instance, malware connects automatically to the
the target’s network perimeter. Establishing a foothold on the C&C server, and other automatic operations are followed,
model is represented in stage six, while multiple subsequent such as information gathering, dropping more malicious tools
actions are conducted and not presented well. Furthermore, or payloads, and establishing fallback channels. Therefore, it
unlike Mandiant, the cyber kill chain does not represent the is crucial to detect these malicious tools initially, whether
cyclic nature of APT, where an APT starts expanding inside the actors start controlling them or not, as long as they are
the target’s network. In addition, the Cyber kill Chain merges connected to C&C servers.
the internal reconnaissance and lateral movement stages of the Based on this discussion, we summarize the requirements
Mandiant model under the action on the objective stage. for developing an updated APT campaign network-based at-

5
tack model: CVE-2012-1889, followed by another five zero-day exploits
• C&C stage should be included in the proposed APT life in one month against the same target in order to deliver
cycle to identify when C&C is needed for an adversary backdoor Trojans [38] and that is a sign of highly intelli-
and why. gent and knowledgeable engineers who in charge of these
• C&C stage should be divided into multiple stages to campaigns with unlimited resources. In addition, we notice
provide the details of attack behavior. Stages may include another example of how APT differs from typical malware
DNS resolution, locating C&C servers and malicious or attacks represented by CozyDuke, a.k.a APT 29. The
C&C traffic. campaign uses a modular malware platform that includes the
• Evasion techniques at C&C stages reported by MITRE command execution module, password stealer, NTLM hash
ATT&CK need to be considered based on real evidence, stealer, downloader, loaders and backdoors such as Hammer-
such as dynamic resolution, data obfuscation and fallback Duke OnionDuke, CosmicDuke, and SeaDuke. As a result,
channels. the campaign might continue without detection and complete
• The type of APT malware operations should be pointed espionage and disruption objectives. Nevertheless, the APT
out to connect the gaps between the multiple stages of campaign carefully develops its own custom malware, FQDNs
C&C. and IP addresses and is able to exfiltrate over time to stay in
stealthy mode against the same target.
Next, we focus on the network characteristics of the APT
V. A NALYSIS OF APT C AMPAIGNS
campaigns covered in the previous section. Table III sum-
In this section, we present our survey of 33 APT campaigns marizes the APT campaign in terms of their adaptation of
presented in Tables I and II, and we provide an analysis protocols that carry out C&C traffic, the tool type of C&C,
of these campaigns from the network perspective. First, we and the most frequent evasion techniques adopted for APT
focus on the variant names for the same campaign, followed campaigns. We notice that most APT campaigns use DNS
by their points of entry and the delivery methods. Next, we and HTTP(S) for their operations through their attack period.
explore some evasion techniques for most campaigns. Then, It does not mean every malware uses the two protocols, but
we describe what payloads are exchanged between the victims many frequently use them.
and C&C server and how they are obfuscated. All these
characteristics are provided based on IoC, public reports, and
evidence materials. Sources include, among others, Bitde-
fender, ESET, Trend Micro, Sophos, McAfee, F-Secure Lab,
Symantec, FireEye Mandiant, Kaspersky Lab, Checkpoint and
evidence from the Department of Homeland Security in the
USA.
At the beginning of this paper, we briefly define the APT
and start arguing whether APT refers to a special type of mal-
ware or a well-resourced campaign. After the survey presented
in Tables I and II, we have seen how a single APT campaign
is equipped with multiple malware, including RAT, backdoors
or trojans. As expected, only APT 35 and Sandworm use
botnets out of 33 APT campaigns. From now on, we refer
to the malware used by APT for C&C communications with
confirmed IP addresses as APT malware unless the industry
reports it as a botnet. Table II shows the persistence and
stealthiness properties of APT malware, which increase the
chances of evading defenses over a long period of time.
There are remarkable differences between an APT and other
malware, such as botnets or ransomware, that use C&C com-
munication. For instance, when APTs initially compromise a
target and drop a backdoor to communicate with C&C servers,
they tend to implant other RATs and further backdoors to
continue their operation with other C&C servers. In practice,
once a SOC engineer discovers a backdoor or a list of IoCs
belonging to an APT, an incident response plan will be carried
out to contain the incident. However, with the persistence
property, an APT tends to implant several backdoors against
the same organization, each of which exploits different zero-
day vulnerabilities [3].
For instance, Elderwood APT launch their attack through
zero-day exploits of CVE-2012-0779, CVE-2012-1875, and

6
 Table I: APT Campaigns From Network Perspective - Part I.
APT Campaign Delivery Method Vulnerability Backdoors

APT 1, a.k.a Comment Spearphishing attachment [3]. N/A Standard Backdoors: Poison Ivy, Gh0st Beachhead Backdoors: Beachhead Family i.e.
Crew WEBC2 (>16 variants) e.g. WEBC2-QBP AURIGA, BANGAT, BISCUIT,
BOUNCER, CALENDAR, COMBOS, COOKIEBAG, DAIRY, GLOOXMAIL,
GOGGLES, GREENCAT, HACKSFASE, HELAUTO, KURTON, LONGRUN,
MACROMAIL, MANITSME, MINIASP, NEWSREELS, SEASALT,
STARSYPOUND and SWORD [3].

APT 2, a.k.a Putter Panda Spearphishing attachment abc.scr N/A 3PARA RAT, 4H RAT, httpclient, pngdowner [39].
Dropper To install 4H RAT [39].

APT 3, a.k.a Gothic Spearphishing attachment For initial access: Flash SWF file CVE-2015-3113 Backdoor.Pirpi (12 variants) [16], SHOTPUT, Backdoor.APT.CookieCutter and PlugX
Panda a.k.a Pirpi Buckeye malicious RAR Spearphishing †. For privilege escalation: CVE-2014-4113 † [41]. [40].
Link Browser Exploit [40]. Others: CVE-2015-5119 † CVE-2010-3962 †
CVE-2014-1776 † CVE-2014-6332 [42].
APT 10
a.k.a menuPass Spearphishing to deliver EvilGrab N/A HTRAN, ZXProxy, ZXPortMap, PlugX, PoisonIvy, QuasarRAT, RedLeaves [44].
or ChChes [43].

APT 12 Spearphishing Attachment [45]. MS Word CVE-2012-0158 [45]. RIPTIDE , HIGHTIDE [45], THREBYTE and WATERSPOUT.

APT 15, a.k.a Ke3chang Spearphishing attachment/URL MS Word CVE-2010-3333, Adobe PDF Reader RoyalCli, BS2005 and RoyalDNS [47].
Vixen Panda [46]. IE injection technique used CVE-2010-2883 [46].
by HTTP-based, Backdoors
(BS2005 Malware) [46].
7

APT 16, a.k.a EPS Spearphishing Attachment MS MS Word: CVE-2015-2545 †, Windows: IRONHALO ELMER with two variants [48].
Word [48] and URL CVE-2015-2546 † [49], Windows privilege
(DOORJAMB.Tools, IRONHALO escalation CVE-2015-1701 [48].
or ELMER [49].

APT 17 a.k.a Deputy Spearphishing URL or Social N/A BLACKCOFFEE [50].

Dog Networks (Cleaver)[50].

APT 18, a.k.a Wekby, Spearphising Xyligan RAT [17]. N/A Xyligan.rat, gh0st.rat, HcdLoader.rat, Pisloader [18], [17].
Dynamite Panda

APT 19 a.k.a. Codoso Waterhole [51] Spearphishing Windows CVE 2017-0199 [52]. N/A
Rich Text Format (RTF)
macro-enabled MS Excel [52].

APT 27 a.k.a Emissary Spearphishing attachment (ZIP CVE-2014-6324 [54], CVE-2017-11882 [55]. For HyperBro a.k.a Backdoor.Win32.HyperBro (Trojan.backdoor.rat),
Panda, Threat archive) [53]. privilege escalation: Jave SWCs CVE-2011-3544, Trojan.Win32.Generic [55], PlugX [53], (Trojan.backdoor.rat), HttpBrowser
Group-3390, JBoss CVE-2010-0738 [53]. (Trojan.backdoor.rat) [55].
LuckyMouse
Continued on the next page
 APT Campaign Delivery Method Vulnerability Backdoors

APT 28 a.k.a Sednit Spearphishing URL-shortener Java CVE-2015-2590 †, Flash CVE-2015-3043 †, Downdelph, CHOPSTICK, CORESHELL, Komplex, Zebrocy, JHUHUGIT and
Sofacy Fancy Bear HIDEDRV rootkit with CVE-2015-5119 †, CVE-2015-7645, Word Sofacy [58], [59].
Downdelph backdoor [56], [11]. CVE-2015-1641 †, CVE-2015-2424 † [57], IE
CVE-2014-4076 [56]. For privilege escalation:
CVE-2015-2387 †, CVE-2015-1701 † [57].

APT 29 a.k.a CozyBear Spearphishing attachment and link PDF Acrobat: CVE-2013-2729, MS Office: CosmicDuke, CloudDuke, HammerDuke, SeaDuke, SeaDaddy, PinchDuke,
CozyDuke [60]. CVE-2009-3129, CVE-2015-2424, OnionDuke, MiniDuke, HAMMERTOSS [14] and Cobalt Strike [61].
CVE-2015-1641, CVE-2010-3333,
CVE-2014-1761, CVE-2012-0158, Adobe Flash
CVE-2016-4117 CVE-2016-7855 and for Privilage
Escalation: CVE-2016-7255 [60].

APT 30 Spearphishing attachment to drop N/A FLASHFLOOD, NETEAGLE, SHIPSHAPE, BACKSPACE SPACESHIP [62].
BACKSPACE [62].

APT 32, a.k.a Spearphishing attachment (RTF CVE-2017-11882. For privilege escalation: Cobalt Strike, Denis [13], KOMPROGO, OSX OCEANLOTUS.D, PHOREAL,
OceanLotus Document) [63]. CVE-2016-7255 [63] SOUNDBITE, WINDSHIELD [64].

APT 33, a.k.a Elfin Spearphishing Link [65]. WinRAR CVE-2018-20250 [66]. For privilege Shamoon, TURNEDUP, AutoIt [66] and POWERTON [67].
Shamoon escalation: CVE-2017-0213 [67].

APT 34, a.k.a OilReg Spearphishing attachment [68]. MS office: CVE-2017-11882, Malicious RTF ISMAgent malware Plink utility to create tunnels to C&C server [69]
CVE-2017-0199 [68].

APT 35, a.k.a Majic Spearphishing attachment and link N/A IRC bot (MagicHound.Leash) MPK.trojan.rat[70].
8

Hound to deliver Pupy RAT or

MagicHound.Rollover [70].

APT 37, a.k.a ScarCruft Spearphishing attachment and link Adobe Flash: CVE-2016-4117, CVE-2018-4878. NavRAT, HAPPYWORK, Final1stspy, DOGCALL, CORALDECK, ROKRAT,
Torrent (KARAE) [19]. MS Word: CVE-2017-019 [19]. SHUTTERSPEED, SLOWDRIFT, WINERACK and KARAE [19].

admin@338 Spearphishing attachment N/A Bubblewarp, LOWBALL and PoisonIvy and Custom (PoisonIvy) [71].
(LOWBALL malware) [71].

Blockbuster a.k.a Spearphishing attachment [72]. N/A HOPLIGHT, KEYMARBLE, HARDRAIN, FALLCHILL.rat, Bankshot.rat,
Operation Flame, Lazarus BADCALL, WannaCry, Volgmer and Proxysvc [73].
Group, HIDDEN
COBRA

Cobalt Group a.k.a Spearphishing attachment [74]. CVE-2017-11882, IE: CVE-2018-8174, Odinaff, Odinaf fg1, Odinaf fgm, Batel, Gussdoor, Ammyy [74] and More_eggs
Cobalt Spider CVE-2017-8570, CVE-2017-0199, CVE-2017-8759 [75].
[75]. MS Word: CVE-2015-1641 , Adobe Flash:
CVE-2016-4117 [74].
 APT Campaign Delivery Method Vulnerability Backdoors

Dragonfly 2.0 Spam campaign Waterhole attack, With using Lightsout exploit kit against Java 6: Backdoor.Oldrea, Trojan.Karagany [76].
i.e. iFrame is used forward to CVE-2012-1723 Java 7: CVE-2013-2465 and IE:
another website hosting Lightsout CVE-2012-4792 CVE-2013-1347 [76].
[76].

Duqu 2.0 Spearphishing attachment [77]. MS Word with embedded TTF: CVE-2011-3402 †, N/A
CVE-2014-4148 †. For lateral movement:
CVE-2014-6324 † [77].

Elderwood, a.k.a Waterhole (IFRAME) to forward CVE-2012-0779 †, CVE-2012-1875 †, Backdoor.Briba, Backdoor.Ritsol, Backdoor.Nerex, Backdoor.Linfo, Backdoor.Wiarp,
Operation Aurora, Sneaky to the server that hosting exploit CVE-2012-1889 †, CVE-2012-1535 †, Backdoor.Vasport, Backdoor.Darkmoon, Trojan.Hydraq (Aurora), Trojan.Naid,
Panda [38]. CVE-2011-0609 †, CVE-2011-0611 †, Trojan.Pasam, Packed.Generic.379, Packed.Generic.374 [38].
CVE-2011-2110 †, CVE-2010-0249 † [38].

FIN 7, a.k.a Carbanak Spearphishing attachment N/A Carbanak, POWERSOURCE, TEXTMATE and HALFBAKED [78].
malicious DOCX and RTF [78].

Leviathan, a.k.a APT 40 Spearphishing attachment and link N/A AIRBREAK, FRESHAIR, BEACON, Gh0st, PHOTO (Derusbi) , BADFLICK , China
[79]. Chopper, PluX (Sogu) [79], Cobalt Strike and BLACKCOFFEE [80].

Naikon APT Spearphishing attachment to drop CVE-2012-0158, CVE-2010-3333 [81]. Naikon backdoor, RARSTONE, SslMM, Sys10, xsPlus, MsnMM, Sakto [81],
naikon backdoor [81]. WinMM, WininetMM [82].

Patchwork a.k.a Dropping Spearphishing attachment and link CVE-2014-4114, CVE-2012-1856, AutoIt, Unknown Logger [83], QuasarRAT [84], TINYTYPHON [85], Socksbot,
Elephant MONSOON Drive-by-Download i.e. Adobe CVE-2017-0199, CVE-2017-8570, CVE-2015-1641 NDiskMonitor and Badnews [83].
Flash Update [83]. to deliver Badnews backdoor [83].
9

Sandworm Team a.k.a Spearphishing attachment [86]. CVE-2010-3333 [86]. BlackEnergy [86].
BlackEnergy Quedagh
[86].

Strider a.k.a Plugged USB sticks [87]. N/A Remsec: Loader: MSAOSSPC.DLL Lua modules: Pip backdoor and HTTP backdoor
PROJECTSAURON [87]. [88].

Regin Spearphishing attachment [89]. N/A Backdoor.Regin [89].

Red October, a.k.a Cloud Spearphishing attachment [91]. MS Excel: CVE-2009-3129, MS Word: LHAFD.GCP [91], Zakladka a.k.a winupdate.dll and WNFTPSCAN [92].
Atlas [90]. CVE-2010-3333, CVE-2012-0158, Rhino Java:
CVE-2011-3544 [91].
 Table II: APT Campaigns From Network Perspective - Part II.
Evasion Tech. Other C&C Settings

APT # FQDNs Note

Campaign DNS HTTP Channels Protocols Obfuscation Payload / C&C IPs

APT 1, a.k.a Hijacked HTTPS, Mimicked MSN C&C Over HTTP, C&C over DNS [3]. HTTP, Base64, single-byte XOR, GDOCUPLOAD, (2551)/ In addtion, APT 1
Comment Crew FQDNs, Messenger, Jabber/XMPP, HTTPS, TLS, SSL and 3DES [3]. GETMAIL, (849) establish >937 C&C
Dynamic Gmail Calendar [3]. FTP [3]. LIGHTBOLT, MAPIGET [3]. servers [3].
DNS [3]. [3].

APT 2, a.k.a Dynamic N/A abc.scr, a dropper, installs 4H RAT to open HTTP RC4, 16-byte XOR, DES N/A (>57)/
Putter Panda DNS [93]. the first channel to connect to C&C server. [39][93]. (CBC) With MD5 hash (>32)
The next channel is initiated with 3PARA key of a string in HTTP [39].
followed by several channels established request back to C&C
by Httpclient and Pngdowner [39]. 1-byte XOR with 0xBE
[39].

APT 3, a.k.a N/A HTTP Proxy and HTTP The main channels established by Pirpi HTTP, N/A Keylogger, RemoteCMD, (5)/ (2)
Gothic Panda Cookie field [40]. [42]. HTTPS, PwDumpVariant, OSinfo, [41].
a.k.a Pirpi SOCKS5 ChromePass, Lazagne
Buckeye and FTP [16], Customized
[42]. Mimikatz, Dsquery [40].

APT 10
a.k.a menuPass Dynamic Cookies embedding in Through legitimate access to many HTTP, AES, RC4, MD5 and MimiKatz, PwDump6 (102)/
10

DNS [43]. HTTP, HTTPS [44]. Managed IT Service Providers (MSP) [43], HTTPS, Base64-encoding [44]. and certutil [44]. (25)[43].
or embedding data in cookies field in FTP [44].
HTTP header [44].

APT 12 N/A N/A Over HTTP [45]. HTTP [45]. RC4 [45]. N/A N/A

APT 15, a.k.a Dynamic HTTP with COM Third Party DNS Service RoyalDNS Spwebmember, custom (11)/
Ke3chang Vixen DNS [46] interface IWebBrowser2 "Nwsapagent"[47]. uses TXT keylogger, Mimikatz, (22)[46].
Panda and [47]. Record in other network scanning
RoyalDNS DNS and enumeration tools
uses DNS protocol to [47].
for C&C send
[47]. payloads
[47].
Continued on the next page
 Evasion Tech. Other C&C Settings

APT # FQDNs Note

Campaign DNS HTTP Channels Protocols Obfuscation Payload / C&C IPs

APT 16, a.k.a N/A HTTP Beacon and Variants of ELMER communicate with HTTP and N/A N/A (2)/ (2)
EPS HTTPS [49]. two different C&C locations [49]. ELMER [49].
beacons over
HTTPS [49].

APT 17 a.k.a N/A N/A C&C distribution over Microsoft TechNet HTTP [50]. N/A N/A N/A BLACKCOFFEE holds a
Deputy Dog and Social Media[50]. URL for the actor profile
or thread at Microsoft
TechNet or Social media
to retrieve C&C IP
address which will be
updated once it is
exposed[50].

APT 18, a.k.a DNS as a HTTPS [94]. HcdLoader used for lateral movement and HTTP, Pisloader uses HTTPBrowser sends N/A Xyligan establish the
Wekby, covert data Exfiltration over HTTP, HTTPS [94] base32-encoded [95]. Keystrokes [17]. foothold, then install
Dynamite Panda channel [18]. HTTPBrowser, and Pisloader used DNS and DNS Hcdloader to provide
requests as a channel in TXT records [18]. [95]. command-line access
[17].

APT 19 a.k.a. N/A N/A HTTP over port 22, SCP, SFTP over port HTTP [52] Base64, single-byte XOR Cobalt Strike [52]. (4)/ (4)
Codoso 22, HTTPS and DNS [52] keys [52]. [51].
11

APT 27 a.k.a N/A N/A N/A HTTP, Base64 Encoding, ASPXSpy (webshell) (5) [55]/ Main C&C
Emissary Panda, HTTPS and Metasploit’s Shikata China Chopper, OwaAuth (2) [96]. bbs.sonypsps[.]com with
Threat DNS [53]. Ganai, encoder and (to steal Exchange’s resolved IP, i.e. belong to
Group-3390, LZNT1 [55]. Passwords) and Mimikatz Router, at Ukrainian ISP
LuckyMouse [96]. network, that was hacked
to pass malware’s HTTP
request [55].

APT 28, a.k.a DGA used Custom (CHOPSTICK) First Channel: Downdelph over HTTP HTTP, CORESHELL uses N/A N/A APT 28 uses POP3 to
Sednit Sofacy by So- over 80/443 [56]. [11]. 2nd Channel: CHOPSTICK over HTTPS, Base64 encoding [56]. communicate with
Fancy Bear facy.WinHttp HTTP. 3rd Channel: CORESHELL [56]. SMTP and GMAIL services to
[11] and Zebrocy over HTTP, SMTP, and POP3 [56], allocate FQDNs and
POP3. Komplex and JHUHUGIT use [58], [59]. C&C locations [56].
HTTP Post and HTTPS while XTunnel
uses SSL/TLS with RC4 [59].
Continued on the next page
 Evasion Tech. Other C&C Settings

APT # FQDNs Note

Campaign DNS HTTP Channels Protocols Obfuscation Payload / C&C IPs

APT 29, a.k.a N/A Domain Fronting over First CozyCar over HTTP/HTTPS, Second HTTP, Base64 Encoding [60]. Backdoors for importing (18)/(31) CozyCar is embedded
CozyBear HTTPS places malicious PowerShell Script, Third (SeaDaddy) over HTTPS, persistent PowerShell [14]. with an alternative C&C
CozyDuke domains in the HTTP 443 [15], Tor-meek for domain fronting RDP (3389), scripts [97] and channel to Twitter,
header and legitimate and Multihop Proxy [97]. NetBios exfiltrating data [60]. MiniDuke uses Google
ones in the TLS header (139), SMB Search if Twitter
[97]. (445), FTP approach [14] failed.
[14].

APT 30 N/A NETEAGLE over HTTP NETEAGLE connect with proxy over HTTP and FLASH- FLOOD uses SPACESHIP and (5>) / SHIPSHAPE provides
proxy post request, or HTTP post beacons. If failed, RDP over RDP [62]. zlib, byte-rotation, and SHIPSHAPE exfiltrate (N/A) persistence by
UDP (6000) TCP (7519) [62]. BACKSPACE uses one XOR NETEAGLE uses data [62]. [62]. propagating through
BACKSPACE disable domain to receive an update and another RC4 [62]. removable devices of the
firewall [62]. one for a backup with two more run-hide infected network against
configurations [62]. air-gap setting [62].

APT 32, a.k.a DNS Custom (Outlook macro Denis [13] and SOUNDBITE exfiltrate HTTP, AES-256(CBC) [63], Mimikatz and data (62)/(22) Backdoors exploits
OceanLotus tunneling for backdoor over SMTP over DNS packets while PHOREAL uses HTTPS [98] RC4 [99], RSA256 and exfiltration [13]. [99]. Microsoft Outlook [13].
C&C and [13]), (JavaScript over ICMP and WINDSHIELD communicate , DNS [13] , Base64 encoding [64].
Data HTTP 14146 [63] or over raw TCP sockets [64]. P2P over
Exfiltration HTTPS [98]. SMB and
[13], [12]. ICMP [64].
12

APT 33, a.k.a N/A HTTP Proxy [67]. Shamoon uses HTTP, PoshC2 may uses HTTP, AES, base64 encoding, SniffPass, DarkComet, (69) / Shamoon is responsible
Elfin Shamoon proxy to C&C server over HTTP/HTTPS HTTPS and DES [67]. ProcDump, Mimikatz, (69) for C&C as well as data
[67] and NanoCore over 6666 [65] FTP [66]. PoshC2 and data [66]. destruction processes.
exfiltration [66]. PoshC2 has multiple
functions, including
C&C, search for
passwords, Netstat, and
pass the hash to gain
access without plaintext
[66].
 Evasion Tech. Other C&C Settings

APT # FQDNs Note

Campaign DNS HTTP Channels Protocols Obfuscation Payload / C&C IPs

APT 34, a.k.a DNS N/A First ’dolt’ function in the PowerShell HTTP, Cryptographic Data keylogger.KEYPUNCH, (10) /
OilReg tunneling script initiates the first channel, Then HTTPS, Encoding [100]. screen- (14)
[69] and ISMAgent uses DNS tunneling instead of DNS, FTP shot.CANDYKING, [100],
DGA [68]. HTTP [69]. [100]. Tool.Plink to create [101].
tunnels
Tool.netscan.SoftPerfect,
Tool.netscan.GOLDIRONY[100].

APT 35, a.k.a N/A HTTPS [70]. Over 4443, 3543 [70]. HTTP, base64, AES[70]. Pupy variant of Mimikats, (39)/(97)
Majic Hound HTTPS, CWoolger for keylogging, [70].
FTP, IRC, FireMalv for stealing
and SOAP credentials of Firefox
[102]. Data Exfiltration [70].

APT 37, a.k.a N/A HTTP POST headers for First, HAPPYWORK and KARAE connect HTTP, CORALDECK uses RAR N/A N/A Not only APT 37
ScarCruft data exfiltration [19]. with C&C to receive further backdoors and HTTPS, protected with password exfiltrate credential data
open further channels CORALDECK SMTP and DOGCALL uses but also the microphone
connects with C&C through HTTP POST P2P [19]. single-byte XOR Finalspy data, snapshot of virtual
headers DOGCALL communicates with uses Base64 Encoding machines [19].
C&C and exfiltrates through cloud [19].
services, NavRAT uses SMTP POORAIM
overall AOL Instant Messenger for C&C
13

ROKRAT uses a variety of C&C channels

including HTTPS and cloud services.
SLOWDRIFT is used for cloud services
[19].

admin@338 N/A N/A First, LOWBALL open a C&C channel N/A N/A HTTP, HTTPS and N/A
over HTTPS and can also use Cloud SOCKS [71].
services [71]. The next level for C&C
traffic is performed by BUBBLEWRAP
over HTTP/HTTPS or SOCKS [71].

Blockbuster, N/A HTTP HTTPS (SSL) WannaCry uses Tor for C&C HTTP, Symmetric stream cipher The main payload is for (2) /(3) HARDRAIN,
a.k.a Operation HTTPS (fake TLS) communication Volgmer, TYPEFRAME, SMTP and e.g. AES, RC4 and data exfiltration. In [104]. FALLCHILL, BADCALL
Flame, Lazarus BADCALL disables Proxysvc, KEYMARBLE, BADCALL RDP [73]. Caracachs and XOR addition, customized use fake TLS Bankshot
Group, HIDDEN Windows firewall [73]. uses HTTPS. However, TYPEFRAME, [103]. password dump tools, to create a fake TLS
COBRA AuditCred, and BADCALL connect to a and batch scripts are handshaking with the use
proxy server RATANKBA and Proxysvc uploaded [72]. of a public certificate
are used for data exfiltration [73]. 45 unique malware
KEYMARBLE has multiple channels for families during this
exfiltration Bankshot uses HTTP channel operation [72].
for exfiltration [73].
Continued on the next page
 Evasion Tech. Other C&C Settings

APT # FQDNs Note

Campaign DNS HTTP Channels Protocols Obfuscation Payload / C&C IPs

Cobalt Group DNS HTTPS [74]. Cobalt Groups uses Plink to open an SSH HTTPS, N/A Cobalt Strike is N/A
a.k.a Cobalt tunneling channel. In addition, the group uses Cobalt DNS and responsible for multiple
Spider [74]. Strike for a variety of channels, i.e., HTTP, P2P SMB payloads, including
HTTPS, DNS, and VNC [105] over remote [74]. keylogging, PowerShell
framebuffer (RBF Protocol), and it can scripts, and data
send over one channel and received from exfiltration [74].
another channel

Dragonfly 2.0 N/A Backdoor.Oldrea uses First, Backdoor.Oldrea communicates with HTTP [76]. RSA, Base64 Encoding Trojan.Karagany is (N/A) / The group extends their
base64 encoded string of C&C server. Second, Trojan.Karagany uses and XOR [76]. implanted to conduct (13) work after Dragonfly 1.0
HTTP Get or RSA with a live connection to Microsoft or Adobe internal reconnaissance, [107] [76].
HTTP Post [76]. websites if available [76]. then Backdoor.Oldrea
exfiltrates Credentials,
Emails, OWA address
book, processes, and
infrastructure info. and
classified documents [76]
[106].

Duqu 2.0 N/A Bidirectional HTTP Duqu 2.0 uses a variety of channels, Outside Symmetric stream cipher Exfiltrate highly classified N/A The threat actor
Proxy, embed C&C including HTTP, HTTPS, and tunneling LAN: e.g. AES[77] and documents related to penetrates a certificate
traffic inside JPEG or SMB/RDB network pipes over HTTPS[77]. HTTPS symmetric block cipher nuclear program[77]. authority in Hungary and
14

GIF over HTTP or inside while inside e.g. Camellia 256 and is able to generate
driver files of SMB with LAN: SMB XXTEA [77]. legitimate certificates[77].
knocking mechanism for network
tunneling or fake TCP/IP pipes or
packets to specific IP RDP[77].
[77].

Elderwood, a.k.a N/A N/A All backdoors connect to a shared C&C N/A N/A N/A (18) /
Operation infrastructure [38]. (N/A)
Aurora, Sneaky [38].
Panda

FIN 7, a.k.a Embedding N/A POWERSOURCE embed C&C traffic in Remote N/A N/A N/A
Carbanak data in TXT TXT record of DNS packet [78]. If Desktop
record [78]. POWERSOURCE is detected, then Protocol
TEXTMATE opens another channel using (RDP)HTTP
the same technique, another C&C channel HTTPS
over GoogleDoc [78]. Finally, the Ammyy DNS [78]
Admin tool, a legitimate tool, is used as
C&C channel [108].
Continued on the next page
 Evasion Tech. Other C&C Settings

APT # FQDNs Note

Campaign DNS HTTP Channels Protocols Obfuscation Payload / C&C IPs

Leviathan, a.k.a NanHaiShu HTTPS [79]. Derusbi opens two channels, an HTTP HTTP, XOR N/A N/A APT 40 develop several
APT 40 uses beacon, and HTTPS channel over 31800, HTTPS [79]. custom tools and
Dynamic several channels established by Gh0st, malware, including
DNS With AIRBREAK and FRESHAIR [79]. HOMEFRY. China
Third Party Chopper is implanted as
[109]. a web shell to brute force
passwords, uploads, and
downloads files packed
with UPX, and
commands are sent over
HTTP Post [79]. APT 40
targets VPN credentials
[79].

Naikon APT Dynamic HTTPS [81]. Naikon backdoor drops all other backdoors HTTP, N/A HDoor is uploaded to the N/A
DNS [82]. to deploy a variety of channels, HTTPS, victim for internal
RARSTONE, which opens the first channel FTP and reconnaissance over
over HTTPS, then SslMM is installed to TFTP [81]. SOCKS5 proxy service
send the keystrokes and footprinting info. FTP is used for data
over two channels, Sys10 open another exfiltration [81].
channel over HTTP to collect local IP
addresses WinMM opens two channels to
15

add more persistence over HTTP [81].

Patchwork a.k.a N/A HTTPS QuasarRAT opens multiple channels over HTTP, QuasarRAT, NDiskMonitor collects N/A
Dropping SOCKS5 proxy and FTP [84], Socksbot HTTPS, NDiskMonitor use AES usernames, files, and
Elephant opens another channel over SOCKS5 RDP, FTP AutoIt base64 encoding, directories and sends
MONSOON proxy to run Powershell scripts, and TINYTYPHON [85] and them back to C&C server
BADNEWS uses RSS feeds and Github SOCKS5 BADNEWS uses XOR Unknown Logger spread
for C&C [83], TINYTYPHON is mainly [110] [83]. through USB to disable
used for data exfiltration [85]. security tools, records
keystrokes, and collect
usernames and IP
addresses [83].
Continued on the next page
 Evasion Tech. Other C&C Settings

APT # FQDNs Note

Campaign DNS HTTP Channels Protocols Obfuscation Payload / C&C IPs

Sandworm Team N/A HTTP, POST requests BlackEnergy is known to operate over HTTP POST Base64 Encoding [86]. The payload includes N/A BlackEnergy has the
a.k.a [86]. multiple channels with [86]. requests highly classified ability to create botnets
BlackEnergy getp and documents and layouts of for destructive attacks
Quedagh [86]. plv fields Ukrainian SCADA and DDoS [86].
for plugin government. In addition,
getpd and BlackEnergy captures
for binaries keystrokes and obtains
download credentials[86].
[86].

Strider a.k.a DNS HTTP over ICMP Remsec open four channels to maximize HTTP, Remsec uses multiple Remsec obtains HTTP
PROJECT- tunneling the persistence over DNS, HTTP, HTTPS, ICMP, DNS encryption schemes keystrokes with its back-
SAURON [87]. and SMTP with TCP, UDP, or ICMP [88]. and SMTP including RC5(CBC), module Sauron, network door
[88]. Remsec.Null session infrastructure layout holds
pipes AES(CBC) and performs ARP scanning, several
RSA [87]. and exfiltrates data[88]. URLs to
locate
C&C
servers
[88].

Regin N/A HTTP over TCP, UDP, Regin opens multiple channels among HTTP, XOR and RC5 [89]. Data exfiltration, Regin (N/A)/
16

and ICMP [89], and internal networks (P2P) over network pipes HTTPS, also obtains keystrokes (4)[111].
HTTPS over proxy of SMB and ICMP raw socket that SMTP, SMB and footprinting info
other victims in internal communicate with the machines on the [111] and [111].
networks [111]. border, which are acting as a router to ICMP raw
forward traffic to C&C servers over HTTP socket [89].
or HTTPS [111].

Red October, N/A Zakladka uses POST Red October backdoors allow a victim to HTTP, Zakladka uses RC4 and Data Exfiltration modules (>60) /
a.k.a Cloud Atlas request [92] connect to C&C through a chain of HTTPS and base64 encoding such as WNFTPSCAN, (10)
[90]. proxies with different locations [91]. FTP [92]. GetFileReg, and FileInfo [91].
Recently, it can also open HTTPS channels do not interact with C&C
to connect cloud services for C&C server directly [92].
communications [90]. WNFTPSCAN
Exfiltrate data to remote FTP servers [90].
Continued on the next page
 Table III: Evasion techniques over TCP/IP protocols PART I.
C&C Protocols C&C Tools C&C Evasion TTP
APT
Campaign HTTP DNS Dynamic Multi-Stage Fallback Multi-hop Multi-Layer
HTTP HTTPS DNS SMTP SOCKS5 SMB FTP P2P RAT Bot. Backdoor Proxy Obfuscation DGA
Embedding tunneling DNS Channels Channels Proxy Encryption

APT 1 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

APT 2 ✓ ✓ ✓ ✓ ✓ ✓ ✓

APT 3 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

APT 10 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

APT 12 ✓ ✓ ✓ ✓ ✓ ✓ ✓

APT 15 ✓ ✓ ✓ ✓ ✓

APT 16 ✓ ✓ ✓ ✓ ✓ ✓ ✓

APT 17 ✓ ✓ ✓ ✓ ✓

APT 18 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

APT 19 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

APT 27 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

APT 28 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

APT 29 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

APT 30 ✓ ✓ ✓ ✓ ✓ ✓ ✓
17

APT 32 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

APT 33 ✓ ✓ ✓ ✓ ✓ ✓ ✓

APT 34 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

APT 35 ✓ ✓ ✓ ✓ ✓

APT 37 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

admin@338 ✓ ✓ ✓ ✓ ✓ ✓

Blockbuster ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Cobalt Group ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
 C&C Protocols C&C Tools C&C Evasion TTP
APT
Campaign HTTP DNS Dynamic Multi-Stage Fallback Multi-hop Multi-Layer
HTTP HTTPS DNS SMTP SOCKS5 SMB FTP P2P RAT Bot. Backdoor Proxy Obfuscation DGA
Embedding tunneling DNS Channels Channels Proxy Encryption

Dragonfly 2.0 ✓ ✓ ✓ ✓

Duqu 2.0 ✓ ✓ ✓ ✓

Elderwood ✓ ✓ ✓ ✓ ✓

FIN 7 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Leviathan ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Naikon APT ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Patchwork ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Sandworm ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Strider ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Regin ✓ ✓ ✓ ✓ ✓ ✓ ✓

Red October ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
18
 Network-based
TTP
in China. [53] reports that threat actors of APT 27 frequently
change the IP address of C&C domain, but within the same
subnet.
Alternative
DNS-based Traffic-based
Channel-based

Dynamic
DNS
DGA
Web
Protocol
Data
Obfuscation
Fallback
Channel
Enctrypted
Channel
B. Hijacked FQDNs

FQDN DNS
Non-
Application Stealthy
While the classic DNS spoofing attack targets the DNS
Hijacking Tunelling
Protocol
recursive resolver’s cache to forward the request to a malicious
Domain Legitimate
Low Profile
IP, FQDN hijacking targets the legitimate web server. FQDN
Fronting IP and ASN
Hijacking is the process of hijacking an FQDN with a qualified
Figure 5: Network-based TTPs taxonomy. registered name and legitimate use [3]. First, threat actors
penetrate the web server hosting a legitimate website. Then,
they implant a backdoor on their web pages and send spear-
VI. TAXONOMY OF N ETWORK - BASED TTP S U SED BY fishing emails with a link to the victim. After the victim
APT S is hacked, the backdoor is preconfigured to communicate to
Figure 5 illustrates the taxonomy of the network-based TTPs C&C using the hijacked FQDN. For the network defenses,
based on our findings. The first level is categorized based the hijacked FQDN is a legitimate one, and the NIDS or SOC
on the common usage by users. For example, DNS-based is team cannot discover that the legitimate domain becomes a
normally used for retrieving the DNS resources, such as the IP malicious one. We notice that APT 1 [3], APT 27 [55] and
address of the remote server. In APTs, the possible techniques APT 34 [100] frequently use such a technique for their C&C
used to locate C&C servers include Dynamic DNS, FQDN operations.
Hijacking, Domain Fronting, and stealthy DGA. However,
we include DNS tunneling in this category as it appears
to a SOC analyst to be DNS packets. The second category C. DNS tunneling
relates to traffic-based techniques. We limit this category to
APT 32, APT 34, Cobalt Group, and Strider campaigns
our findings based on our datasets with additional information
use DNS tunneling. A threat actor might embed restricted
based on the technical reports. This includes web protocol,
protocols inside a legitimate one, such as DNS, HTTP, and
data obfuscation, non-application protocol, DNS over HTTPS
SSH. The idea of DNS tunneling is to communicate to C&C
(DoH), low profile, and stealthy behavior. DoH remains in
server via DNS query [112]. For instance, APT 32, a.k.a
this category since it uses HTTPS and is not visible to a SOC
OceanLotus, uses DNS tunneling to avoid NIDS and to bypass
analyst unless they have the key to decipher the packets at the
Firewalls [12]. The destination IPs are legitimate DNS servers,
web proxy. The final category is the possible channels that
i.e., Google and OpenDNS [12]. However, the malicious
can be used during an attack. The two techniques frequently
domain is embedded in the packet, which will be unpacked at
used for APTs are the encrypted and fallback channels. We
some intermediate points to forward the traffic accordingly
keep these two techniques under the channel-based category
[113]. For instance, Pisloader sends a beacon periodically,
because they can act as the backbone for other TTPs, and
with setting flags including response, recursion desired, and
enhance the difficulty of detecting them.
recursion, and in case any additional flags are set, the packet
will be discarded [95]. The obfuscated based64 payloads are
VII. DNS- BASED TTP S attached on the same string with the C&C server domain in
The first line of defense is to stop the APT traffic before it a 4-bytes length [95]. The C&C server responds in the TXT
begins, which relies on detecting malicious domains. However, record of the DNS packet with the same settings [95].
Malicious domain detectors can be evaded using DNS-based
TTPs. In this section, we discuss the TTPs related to DNS
reported in Figure 5. D. Dynamic DNS
Since 2016, Dynamic DNS with third-party services has
A. IP Addresses and ASN been essential for several APTs [43], including APT 1 [3],
Analysts in [82] introduce an analysis of Naikon APT and APT 2 [39], APT 10 [44], APT 15 [46], APT 18 [18],
observe that 99% of the campaign’s domains use two IP Leviathan [79] and Naikon [81]. APT actors frequently register
addresses, and it can reach up to 51 IPs. This suggests that new subdomains under sharing zones with other clients. APT
counting the IP addresses used for a single domain over a 1, for instance, registered hundreds of subdomains over the
time window might be useful. However, if we consider the years and frequently changed the resolution of FQDN to new
autonomous system number (ASN) for a given IP address, then IP addresses of C&C servers by logging into the service via a
we could identify a malicious cluster. For example, in Naikon web-based interface and updating instantly [3]. NIDS and the
APT, six clusters are identified in South Korea (Seoul), China security team view the malicious FQDN using Dynamic DNS
(Kunming and Jinma), Thailand (Bangkok), and the USA as a domain from a public service, which makes it difficult to
(Denver), with 22 city DNS resolutions referring to Kunming classify it as malicious.

19
 60
Distribution of ELD Length
50
40
Length

30
20
10
0

Taidoor

SilverTerrier
Patchwork

Poseidon

Pegasus
WIRTE
APT38
NaikonAPT
APT12
Tranco 1 - 100
Tranco 101 - 1k

Malware
Blockbuster
Elderwood
MoonLight
Sandworm
Silence
SmokeScreen
Unkown
APT16
APT17
APT10
APT19
APT2
DarkHydrus
FIN7
Machete
Sowbug
Tranco 10k - 50k
Tranco 1k - 10k
APT15
APT30
APT33
APT37
Calypso
Gorgon
ICEFOG
Magecart
Tranco 300k - 400k
Tranco 50k - 100k
APT18
APT27
APT32
APT41
CobaltGroup
Strider
Tranco 100k - 200k
Tranco 200k - 300k
Tranco 400k - 500k
APT29
APT39
APT40
FIN8
APT1
APT28
Donot

APT34
Mustang
APT35
APT3
Figure 6: Campaigns are sorted by median length. APT and legitimate domain campaigns are interleaved. The upper and
lower caps refer to the 90th and 10th percentile, whereas the upper and lower sides for each box represent the 75th and 25th
percentile. Finally, the mid-line inside boxes are median values, and diamonds refer to outliers.

Set ELD (.TLD) for using binary DGAs modules attached to the malware to
I. Bitsquatting algorithmically generate domains (AGDs) until C&C channel
APT 35 telagram ([.]net) is established [115]. Once the host is infected by malware with
Legitimate telegram ([.]org) the DGA module, the module will start sending a random
DNS query with a seed value known upfront by the threat
II. DGA-Like Alexa-based actor. The communication will then be initiated with the C&C
APT 34 egoogle ([.]org)
Legitimate google ([.]org) server if the DNS query matches a registered domain. In the
APT context, APT 28 and APT 34 are the main examples of
IV. DGA-Like Dictionary-based campaigns using DGA. Backdoor uses DGA to create more
ICEFOG sportsnewsa ([.]net) domains upon the request of C&C servers in hours and destroy
Legitimate sportsmansoutdoorsuperstore ([.]com) it within 24 hours [116]. These make it hard to predict what
V. DGA-Like Random Character
APT 28 message-id8665213 ([.]com) domain names will be used, and even when the algorithm is
Legitimate xn—-8sbkahkuskl1n ([.]com) successfully reverse-engineered, take-downs are expensive as
only a small fraction of a large number of generated domains
VI. Dynamic DNS With Third Party is effectively registered by an adversary.
APT 15 ensun ([.]dyndns[.]org)
Legitimate erogamescape ([.]dyndns[.]org)

VII. Technical Process F. Domain Fronting and Multi-hop Proxy

APT 28 accoounts-google ([.]com)
Legitimate googleaccountlogin ([.]com) Domain fronting is an evasive technique that conceals the
VII. Typosquatting location of the remote C&C server [117]. The backdoor
APT 34 miedafire ([.]com) implanted in a victim machine pretends to communicate with
a legitimate host over HTTPS. The legitimate host is only an
II. TLD Squatting intermediate step to communicate with the true destination.
WIRTE microsoft ([.]store) This chain may include multiple hops. The domain outside of
Legitimate microsoft ([.]com)
the HTTPS request is a legitimate one, while the inside the
IX. Phishing HTTPS is the true destination, which is encrypted (Figure 7).
Patchwork yahoomail ([.]pw|[.]support) We observe that APT 29 [15] and Blockbuster [73] use
Legitimate (mail[.]) yahoo ([.]com) domain fronting and multi-hop proxy. APT 29 connects to the
Table IV: Examples of APT ELDs across different evasion onion router (TOR) with the domain fronting technique, i.e., a
techniques. domain included in the TLS header refers to Google services.
The destination domain (TOR multiple hops) is hidden in
the HTTP header until it connects back to a threat actor
[97]. To update the FQDN for newer C&C servers, the Duke
E. Stealthy Domain Generation Algorithms (DGA)
malware may receive the IP address and exfiltrate over Twitter
DGAs generate a large number of pseudo-random variations and Microsoft One Drive [14]. In addition, the TOR tunnel
of domain names using algorithms based on arithmetic, hash provides remote access to the victim by using Server Message
functions, wordlists, and permutations [114]. Normally, DGA Block (SMB) and NetBIOS. Throughout this operation, the
is used as a backup plan for the botnets to communicate back HTTP POST header appears to the NIDS as a legitimate URL
to a master bot [115]. Zeus and Cryptolocker are pretty famous with unsuspicious parameters [97].

20
 Figure 7: An example of domain fronting [117].

VIII. T RAFFIC - BASED TTP S communication. In order to conceal their C&C traffic, adver-
After APT operators successfully evade the defenses and saries may masquerade as genuine protocols or online services.
locate the C&C server, they deploy several traffic-based TTPs To trick security tools into thinking the following traffic
to continue undetected. This section discusses the TTPs related is encrypted with SSL/TLS or to make their traffic appear
to the traffic itself. to originate from a trusted source, attackers can spoof an
SSL/TLS handshake. For example, A false TLS handshake is
A. Web Protocol generated by Bankshot using a public certificate to camouflage
C&C network communication [120]. Cobalt Strike simulates
In order to evade detection and network filtering, adversaries
HTTP while concealing malicious data by adding it to the URI,
may communicate by utilizing application layer protocols
hiding it in headers, parameters, or transaction bodies, or using
typical of online traffic. The protocol data exchanged between
a combination of these methods [74]. Okrum uses a protocol
a client and server will contain instructions for the remote sys-
that is quite similar to HTTP for C&C communication, but it
tem and, typically, the responses to those instructions. Internet
conceals the actual messages in the Cookie and Set-Cookie
communication protocols like HTTP(S) [39] and WebSocket
headers of the HTTP requests that it makes [121]. In our
[118] may be widely used. Many different kinds of information
dataset, we commonly observe protocol impersonation through
can be hidden in the various fields and headers of an HTTP(S)
fake TLS over HTTP. In Figure 9, we observe beaconing
packet. An attacker can utilize this to communicate with target
Mivast and Sakula malware adopt such a technique while the
systems under their control while appearing to be legitimate
traffic is sent as impulses in periodic time slots.
network traffic.
In our dataset described in Section III, APT28 uses a mal- However, the protocol impersonation technique may include
ware called Zebrocy. The malware has been observed spread- customized protocol. For instance, SolarWinds use the Orion
ing through maliciously produced Word documents with ma- Improvement Programme (OIP), where their users can provide
licious macros and Dynamic Data Exchange (DDE)-based via feedback on the quality, functionality, and usefulness of their
social engineering or attachments targeting governments [119]. products in order to guide future development. Data about
In our analysis, we confirm that the information of the infected errors and other unusual occurrences in the system is also
hosts is collected and then sent back to 220.128.216[.]127 compiled [122]. Therefore, The SUNBURST Backdoor is
using HTTP with the POST method. In Figure 8, we extract able to blend in with legal SolarWinds activity because it
the HTTP header and identify the usage of WinHTTP, a library disguises its network traffic as the OIP protocol and keeps its
often used as a web crawler or bot. reconnaissance results within legitimate plugin configuration
files [123].

Bidrectional Traffic With Mivast and Sakula Remote Server IP: 3.223.115.185
2656

2125
Traffic (KB)

1594

1062

531

0
Figure 8: Zebrocy pushes collected information of the infected 0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900
host using the POST method with WinHTTP library. Time (seconds)

Figure 9: Mivast and Sakula malware gather information

and send it back to the operator periodically through data
B. Data Obfuscation Through Protocol Impersonation obfuscation through protocol impersonation.
A common tactic used by adversaries to prevent analysis
and conceal C&C activity is to forge protocol or web service

21
C. Non-Application Protocol 17600
Bidrectional Traffic With njRAT Remote Server IP: 104.108.144.144
16500
An adversary may use a non-application layer protocol for 15400
14300
13200
communication between a host and a C&C server or between 12100
11000

Traffic (KB)
infected hosts inside a network [124]. Numerous protocols can 9900
8800
be considered. Network layer protocols like Internet Control 7700
6600
5500
Message Protocol (ICMP), transport layer protocols like User 4400
3300
Datagram Protocol (UDP), session layer protocols like Socket 2200
1100
Secure (SOCKS), and redirected/tunnelled protocols like Se- 0
0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900
rial over LAN (SOL) are all used as examples. Time (seconds)
Bidrectional Traffic With Legitimate Remote Server IP: 104.244.42.129
Host-to-host communication via ICMP is one example. 17600
Since ICMP is included in the Internet Protocol Suite, all IP- 16500
15400
14300
compatible hosts must support it. However, unlike TCP and 13200
12100

Traffic (KB)
11000
UDP, it is not as widely monitored and could be used by 9900
8800
7700
attackers looking to conceal conversations [125]. In Figure 10, 6600
5500
4400
we show an APT operator using NanoCore interacting with the 3300
2200
victim using raw TCP only. 1100
0
0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900
Time (seconds)
Bidrectional Traffic With NanoCore Remote Server IP: 79.134.225.92
306.0
Figure 11: Stealthy malicious APT StringPity compared legit-
244.8
imate behavior.
Traffic (KB)

183.6

122.4

61.2 may gather the information around the network to minimize

0.0 their traffic at a low profile.
0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900
Time (seconds) We can see the low magnitude of the malicious traffic for
most TTPs in the figures presented in this section. However, let
Figure 10: NanoCore executes remote commands and collects us take another example that stays in low profile mode while
information over Raw TCP. it does not use any previous traffic-based TTPs other than the
non-application TTP. Figure 12 shows the behavior of Remcos.
Remcos is a highly developed RAT that allows remote control
D. Stealthy Behavior and monitoring of any Windows machine running XP or later.
Many reports blend stealthy behavior with a low profile. Data is collected and transmitted to C&C servers, including
However, our findings show that stealthy behavior should OS version, user access, and processor revision number and
be categorized as a different concept. Stealthy behavior is architecture [126].
normally used for uploading a malicious payload. That means
Bidrectional Traffic With Remocs Remote Server IP: 79.134.225.28
some packets are sent/received in a burst within a short period. 2670

For example, based on our analysis, njRAT exchanges data 2136

with the APT C&C within 76.53 seconds to drop the payload
Traffic (KB)

1602
and exfiltrate initial information. In Figure 11, we show the
1068
difference between the stealthy behavior and the legitimate
534
one. We notice that the volume of the burst does not exceed the
legitimate threshold. In our example, the maximum magnitude 0
0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900
of the burst for a single second is 7,614, compared to 18,630 Time (seconds)
KB for the legitimate one. This means the stealthy packets
Figure 12: Remcos transfers the collected data of the infected
consume only 40.87% of the legitimate threshold. However,
machine.
we can see that the njRAT stealthy packets exchange data
nearly without pausing after executing remote commands at
the beginning. Once the mission is done, no packets are
exchanged in the same time window. IX. A LTERNATIVE C HANNEL - BASED TTP S
As described before, APT campaigns establish alternative
E. Low Profile channels for either persistence or NIDS obstruction. In this
section, we describe the most common techniques used by
Most of the reports produced by governments and security most APTs.
vendors emphasize that the APT traffic normally operates at a
low profile. That means an adversary is aware of the typical
traffic volume in an enterprise network. An adversary may A. Encrypted Channel
guess based on the number of hosts connected in the internal It is well-known that several malware families use en-
network. During the initial compromise stage, an adversary cryption for their communication. However, a multi-level

22
encryption channel can be adopted in the APT settings. A a. GRIFFON Backdoor Attack Plan
common technique is to use Base64 encoding to disguise the

Traffic (KB)
10000
remote commands using another encoding scheme such as
5000
UTF, ASCII or, simply, rotate by 13 places (ROT13). Next,
the output is XORed the plaintext with the pad, and encrypt 0
0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900
the output using symmetric encryption algorithms such as Time (seconds)
b. GRIFFON First Channel With Remote Server 31.3.232.105
block ciphers (e.g. AES) or stream ciphers (e.g. RC4). Later,
when the traffic is carried over a trusted VPN, SOCK5, or 2000

Traffic (KB)
TLS, the local network cannot identify the real information 1000
even after deciphering the connection. In this way, the local 0
NIDS can be evaded as it sees the traffic came from public 0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900
Time (seconds)
encrypted services such as GitHub, Dropbox, GoogleDrive, or c. GRIFFON Second Channel With Remote Server 193.187.174.158
any account on the social media platform. 4000

Traffic (KB)
3000
2000
B. Fallback Channel 1000
APT operators establish alternative channels with different 0
0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900
IP addresses for two purposes. First, maintain persistence by Time (seconds)
providing a backup channel if one is detected and blocked. d. GRIFFON Third Channel With Remote Server 46.21.253.39
Second, stay undetected by following a divide-and-conquer

Traffic (KB)
10000
strategy, which is the main reason for using fallback channels 5000
as a backbone to enable other TTPs deployment. We focus on
0
this goal for the rest of our discussion and analysis here. As we 0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900
Time (seconds)
know that APT operators carry out their different operations, e. GRIFFON Fourth Channel With Remote Server 195.16.91.14
such as payload download, controlling the victims with remote
Traffic (KB)

10000
commands, crawling the information of the infected network,
and exfiltrating data. 5000

In practice, it is nearly impossible, with the current de- 0

0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900
fenses in highly secure environments, to accomplish these Time (seconds)
operations without being detected. Therefore, APT campaigns
establish many remote servers to communicate with and split Figure 13: GRIFFON divides its communication with its C&C
the communications among them to appear several legitimate over four channels.
behaviors from the enterprise point of view. For example,
the first channel can be dedicated to downloading an internal
reconnaissance tool by a combination of stealthy and web the datasets introduced in Section III. We notice that over the
protocol TTPs. In addition, a new domain is sent using one past 22 years, spearphishing links have been popular to deliver
of the DNS-based TTPs to evade malicious traffic and domain the backdoors until now, which emphasizes the importance of
detectors. developing a detective approach to defending against malicious
In Figure 13.a, we plot the planned traffic to be exchanged domains. Spearphishing attachments are also popular and can
with C&C server. However, Figure 13.b-e depicts the actual break the current host-based intrusion detection, which is out
behavior, which is split over four C&C servers during the of the paper’s scope, and we leave it for future work.
same 15 minutes. Now, the first channel carries out the In Section V, we discuss if the APTs are a single malware
remote commands and retrieves initial internal reconnaissance or an arsenal of malware. We reported the backdoors for each
information of the infected network. Just before being idle campaign to confirm that APTs used a collection of malware,
(Figure 13.a), another domain is sent for the next channel. for instance, up to 26 different malware families used by
With resolving the domain name sent during the first channel, APT 1. Some of these backdoors are communicating with the
a second channel starts to communicate to another C&C remote C&C server. There is a chance to find if an organization
server. The second channel continues retrieving more internal is under an APT campaign attack if we are able to detect
information with another domain sent for the next channel. the malicious traffic by such malware. We find that 84.8% of
Now, the third channel transfers a payload with two large APT campaigns use malware that is described as backdoors
impulses. Further tools are also sent over the last channel. and 78.7% are RAT while only 6% are botnets as depicted
Finally, APT operators prepare the tools needed for further in Figure 14.a. That clarifies that APTs rarely use botnets for
tasks. For example, they can keep a logger and transfer the their attack and rely heavily on customized backdoors and
usernames and passwords, or they can continue with the lateral RATs.
movement stage to control another victim in the same network. Since our scope in this paper is to defend against APTs
using network data, we limit the rest of the discussion to our
X. D ISCUSSION findings related to the popular protocols and TTPs used to
In this section, we summarize and discuss our findings based communicate to C&C server.
on the investigation of 118 technical reports and the analysis of Figure 14.b shows that all APT campaigns have continued

23
 100
95 100
90 95
85 90
80 85
75 80
70 75
65 70
60 65
Percentage

55 60

Percentage
50 55
45 50
40 45
35 40
30 35
25 30
20 25
15 20
10 15
5 10
0
Spear Spear Waterhole USB Backdoor RAT Botnet 5
Phishing Phishing sticks 0
Attachment Link HTTP HTTPS DNS SMTP P2P SOCKS5 SMB FTP

(a) Most popular delivery methods. (b) Most popular protocols usage.

100
95
90
85
80
75
70
65
60
Percentage

55
50
45
40
35
30
25
20
15
10
5
0
Data Fallback Encrypted Proxy HTTP Dynamic DNS DGA Domain
Obfuscation Channel Channel Embedding DNS Tunnling Fronting
(c) Top TTPs usage.

Figure 14: Investigation summary based on 33 APT campaigns.

using HTTP since 2001 to evade NIDS detection, emphasising as we have seen in Section IX-B, which are been quite a
that we need to carefully detect malicious connections that use popular approach in the past two decades.
HTTP protocol. That does not mean every single connection The multi-level encrypted channel is also popular and is
will use HTTP protocol, but it means at least every APT used by 54.5% of APT campaigns to evade decryption if the
campaign will use HTTP once at a time. 81% of APT TLS traffic is blocked unless the decrypt key is available for
campaigns rely on HTTPS to bypass NIDS that rely on HTTP the web proxy. Therefore, even if the traffic is decrypted,
plaintext features. Since HTTP protocol normally starts with another layer is still held, such as an encoding technique or
DNS domain resolution, 45% of APTs use DNS protocols, block cipher, as described in Section IX-A. The next popular
while the others use HTTP with a preconfigured IP address. TTP is domain fronting and multi-hop proxy, which is more
Also, 24.2% of APT campaigns deliver their malware using than half (51.5%) of APT campaigns exploit such technique
spearphishing links, which we should also consider to detect together and 24.2% only use domain fronting, to conceal the
malicious URLs. SMTP, P2P, SOCKS5, SMB and FTP come location of the remote C&C server as described in Section
next with 24%, 21.2%, 18.1%, 18.1%, and 18%, respectively. VII-F. Other DNS-based TTPs are also found, with 27.2%
To design a reliable approach to detect APTs, we study using dynamic DNS, and 24.2% exploiting DGA or DNS
their usage of TTPs that enable them to bypass NIDS. Figure tunneling. This leads to the importance of considering the
14.c shows that APTs typically adopt data obfuscation through detection of malicious domains and UDP-based traffic.
protocol impersonation. We show an example of Mivast and
Skula malware in Figure 9 impersonating legitimate HTTPS. XI. C ONCLUSION
The next popular TTP is the fallback channel to split the traffic In this paper, we highlight the importance of developing a
volume over multiple C&C servers, which is used by 60.6% successful APT detection strategy, which can be achieved by,
of APT campaigns. This percentage is increasing over time to first, studying the network-based TTPs. These TTPs pose a
evade detective approaches that rely on volume-based features, challenge when it comes to distinguishing between malicious

24
and legitimate activities. Consequently, when formulating ap- [15] D. Alperovitch, “Bears in the midst: Intrusion into the democratic
proaches for the next generation of NIDS against APTs, it is national committee.” https://www.crowdstrike.com/blog/bears-midst-
intrusion-democratic-national-committee/. Accessed: 2019-04-14.
imperative to consider the particular context of the attack. [16] S. S. Response, “Buckeye cyberespionage group shifts gaze
We analyze 33 APT traffic campaigns (Tables I and II) in from us to hong kong.” https://www.symantec.com/connect/blogs/
terms of many features of TTPs, including evasion techniques, buckeye-cyberespionage-group-shifts-gaze-us-hong-kong, September
2016. Accessed: 2019-04-23.
protocols, payloads, obfuscation, and channels. We observe [17] H. Carvey, “Where you at?: Indicators of lateral movement using
several APT campaigns use zero-day vulnerabilities, and we at.exe on windows 7 systems.” https://www.secureworks.com/blog/
denote that in Table I. For instance, Stuxnet uses four zero- where-you-at-indicators-of-lateral-movement-using-at-exe-
on-windows-7-systems, September 2014. Accessed: 2019-04-14.
day exploits, while Elderwood uses eight [38]. However, other [18] A. Shelmire, “Evasive maneuvers by the wekby group with custom
APTs such as Taidoor reuse exploits [38]. These different rop-packing and dns covert channels.” https://www.anomali.com/blog/
exploits provide multiple persistence against targeted organiza- evasive-maneuvers-the-wekby-group-attempts-to-evade-
analysis-via-custom-rop, July 2015. Accessed: 2019-04-14.
tions. In addition to that, we discuss some evasion techniques [19] F. Lab, “APT 37 (reaper) the overlooked north korean actor, special
used by a wide range of campaigns and summarized in Table report,” 2018.
III. [20] S. Khattak, N. R. Ramay, K. R. Khan, A. A. Syed, and S. A.
Khayam, “A taxonomy of botnet behavior, detection, and defense,”
We conclude that typical malware or multi-stage attacks are IEEE communications surveys & tutorials, vol. 16, no. 2, pp. 898–
run normally by individuals or small teams. On the other hand, 924, 2013.
APTs are launched by a group of highly skilled people and [21] G. Zhao, K. Xu, L. Xu, and B. Wu, “Detecting APT malware infections
based on malicious dns and traffic analysis,” IEEE access, vol. 3,
mostly funded by governments. Finally, we define the most pp. 1132–1142, 2015.
popular network-based TTPs used by APTs. We focused on [22] G. Vormayr, T. Zseby, and J. Fabini, “Botnet communication patterns,”
HTTP(S) and DNS protocols and categorized 13 TTPs related IEEE Communications Surveys & Tutorials, vol. 19, no. 4, pp. 2768–
2796, 2017.
to these protocols since HTTP(S) and DNS are the popular [23] M. Ussath, D. Jaeger, F. Cheng, and C. Meinel, “Advanced persistent
protocols among APTs with 81% and 45%, respectively. We threats: Behind the scenes,” in Annual Conference on Information
present several examples based on our datasets [25], [127] in Science and Systems (CISS 16), pp. 181–186, IEEE, 2016.
[24] P. Chen, L. Desmet, and C. Huygens, “A study on advanced persistent
addition to further resources from the industry. threats,” in IFIP International Conference on Communications and
Multimedia Security, pp. 63–72, Springer, 2014.
[25] A. Alageel and S. Maffeis, “H AWK -E YE: Holistic detection of APT
R EFERENCES command and control domains,” in In The 36th ACM/SIGAPP Sympo-
sium on Applied Computing (SAC 21), pp. 1664–1673, ACM, 2021.
[1] P. Cichonski, T. Millar, T. Grance, and K. Scarfone, “Computer security [26] E. M. Hutchins, M. J. Cloppert, and R. M. Amin, “Intelligence-
incident handling guide,” NIST Special Publication, vol. 800, no. 61, driven computer network defense informed by analysis of adversary
pp. 1–147, 2012. campaigns and intrusion kill chains,” Leading Issues in Information
[2] C. Tankard, “Advanced persistent threats and how to monitor and deter Warfare & Security Research, vol. 1, no. 1, p. 80, 2011.
them,” Network security, vol. 2011, no. 8, pp. 16–19, 2011. [27] J. de Vries, H. Hoogstraaten, J. van den Berg, and S. Daskapan, “Sys-
[3] D. McWhorter, “APT 1: Exposing one of china’s cyber espionage tems for detecting advanced persistent threats: A development roadmap
units,” Feb 2013. FireEye Mandiant Lab. using intelligent data analysis,” in 2012 International Conference on
[4] A. Alageel and S. Maffeis, “E ARLY C ROW: Detecting APT malware Cyber Security, pp. 54–61, IEEE, 2012.
command and control over HTTP(S) using contextual summaries,” in [28] P. Giura and W. Wang, “A context-based detection framework for
25th International Information Security Conference (ISC 22), pp. 290– advanced persistent threats,” in International Conference on Cyber
316, Springer, 2022. Security, pp. 69–74, IEEE, 2012.
[5] M. A. Talib, Q. Nasir, A. B. Nassif, T. Mokhamed, N. Ahmed, [29] T. Yadav and A. M. Rao, “Technical aspects of cyber kill chain,” in In-
and B. Mahfood, “Apt beaconing detection: A systematic review,” ternational Symposium on Security in Computing and Communication,
Computers & Security, p. 102875, 2022. pp. 438–452, Springer, 2015.
[6] A. Lemay, J. Calvet, F. Menet, and J. M. Fernandez, “Survey of publicly [30] D. Kiwia, A. Dehghantanha, K.-K. R. Choo, and J. Slaughter, “A
available reports on advanced persistent threat actors,” Computers & cyber kill chain based taxonomy of banking trojans for evolutionary
Security, vol. 72, pp. 26–59, 2018. computational intelligence,” Journal of computational science, vol. 27,
[7] B. Stojanović, K. Hofer-Schmitz, and U. Kleb, “Apt datasets and attack pp. 394–409, 2018.
modeling for automated detection methods: A review,” Computers & [31] G. Ioannou, P. Louvieris, N. Clewley, and G. Powell, “A markov multi-
Security, vol. 92, p. 101734, 2020. phase transferable belief model: An application for predicting data
[8] A. Alshamrani, S. Myneni, A. Chowdhary, and D. Huang, “A survey exfiltration apts,” in Proceedings of the 16th International Conference
on advanced persistent threats: Techniques, solutions, challenges, and on Information Fusion, pp. 842–849, IEEE, 2013.
research opportunities,” IEEE Communications Surveys & Tutorials, [32] S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V. Venkatakr-
2019. ishnan, “Holmes: real-time APT detection through correlation of sus-
[9] B. E. Strom, J. A. Battaglia, M. S. Kemmerer, W. Kupersanin, picious information flows,” arXiv preprint arXiv:1810.01594, 2018.
D. P. Miller, C. Wampler, S. M. Whitley, and R. D. Wolf, “Finding [33] S. Mathew, S. Upadhyaya, M. Sudit, and A. Stotz, “Situation awareness
cyber threats with att&ck™-based analytics,” tech. rep., The MITRE of multistage cyber attacks by semantic event fusion,” in Military
Corporation, 2017. Communications Conference (MILCOM 10), pp. 1286–1291, IEEE,
[10] R. Benchea, C. Vatamanu, A. Maximciuc, and V. Luncaşu, “APT 28 2010.
under the scope a journey into exfiltrating intelligence and government [34] B. Farinholt, M. Rezaeirad, D. McCoy, and K. Levchenko, “Dark
information,” 2015. matter: Uncovering the darkcomet rat ecosystem,” in Proceedings of
[11] E. Research, “Sednit update: How fancy bear spent the year.” The Web Conference (WWW 20), pp. 2109–2120, 2020.
https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear- [35] M. Rezaeirad, B. Farinholt, H. Dharmdasani, P. Pearce, K. Levchenko,
spent-year/, December 2017. Accessed: 2019-04-10. and D. McCoy, “Schrödinger’s RAT: Profiling the stakeholders in the
[12] A. Dahan, “Operation cobalt kitty: A large-scale APT in asia carried out remote access trojan ecosystem,” in 27th USENIX Security Symposium
by the oceanlotus group.” https://www.cybereason.com/blog/operation- (USENIX Security 18), pp. 1043–1060, 2018.
cobalt-kitty-apt. Accessed: 2019-04-14. [36] B. Farinholt, M. Rezaeirad, P. Pearce, H. Dharmdasani, H. Yin,
[13] C. Labs and A. Dahan, “Operation cobalt kitty cybereason labs S. Le Blond, D. McCoy, and K. Levchenko, “To catch a ratter:
analysis,” 2017. Monitoring the behavior of amateur darkcomet rat operators in the
[14] F.-S. L. T. Intelligence, “The dukes 7 years of russian cyberespionage,” wild,” in IEEE Symposium on Security and Privacy (S&P 17), pp. 770–
2016. 787, IEEE, 2017.

25
[37] M. Heinemeyer, “Fin7.5: the infamous cybercrime rig “fin7” continues [64] N. Carr, “Cyber espionage is alive and well: APT 32 and the threat
its activities.” https://securelist.com/fin7-5-the-infamous-cybercrime- to global corporations.” https://www.fireeye.com/blog/threat-research/
rig-fin7-continues-its-activities/90703//. Accessed: 2021-07-18. 2017/05/cyber-espionage-apt32.html, May 2017. Accessed: 2019-06-
[38] G. O’Gorman and G. McDonald, “The elderwood project,” September 10.
2012. [65] J. O’Leary, J. Kimble, K. Vanderlee, and N. Fraser, “Insights
[39] C. G. I. Team, CrowdStrike Intelligence Report: Putter Panda. Crowd- into iranian cyber espionage: APT 33 targets aerospace
Strike, June 2014. and energy sectors and has ties to destructive malware.”
[40] C. A. Korban, D. P. Miller, A. Pennington, C. B. Thomas, and T. M. https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-
Corporation, “APT 3 adversary emulation plan,” September 2017. into-iranian-cyber-espionage.html. Accessed: 2019-04-20.
[41] N. Moran, M. Scott, M. Oppenheim, and J. Homan, “Opera- [66] S. R. A. I. T. at Symantec, “Elfin: Relentless espionage group
tion double tap.” https://www.fireeye.com/blog/threat-research/2014/ targets multiple organizations in saudi arabia and u.s..” https:
11/operation_doubletap.html, November 2014. Accessed: 2019-04-23. //www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage.
[42] M. Yates, APT 3 Uncovered: The code evolution of Pirpi. Palo Alto Accessed: 2019-04-20.
Networks, June 2017. [67] G. Ackerman, R. Cole, A. Thompson, A. Orleans, and N. Carr,
[43] PwC and B. Systems, “Operation cloud hopper,” April 2017. “Overruled: Containing a potentially destructive adversary.”
[44] PwC and B. Systems, “Operation cloud hopper technical annex,” April https://www.fireeye.com/blog/threat-research/2018/12/overruled-
2017. containing-a-potentially-destructive-adversary.html. Accessed:
[45] N. Moran and M. Oppenheim, “Darwin’s favorite APT group.” 2019-04-20.
https://www.fireeye.com/blog/threat-research/2014/09/darwins- [68] M. Sardiwal, V. Cannon, N. Fraser, Y. Londhe, N. Richard,
favorite-apt-group-2.html. Accessed: 2019-04-18. and J. O’Leary, “New targeted attack in the middle east by
[46] N. Villeneuve, J. T. Bennett, N. Moran, T. Haq, M. Scott, and K. Geers, apt34, a suspected iranian threat group, using cve-2017-11882 ex-
“Operation “ke3chang”: Targeted attacks against ministries of foreign ploit.” https://www.fireeye.com/blog/threat-research/2017/12/targeted-
affairs,” 2014. attack-in-middle-east-by-apt34.html. Accessed: 2019-04-21.
[47] N. Group, “Apt15 is alive and strong: An analysis of royalcli and [69] R. Falcone and B. Lee, “Oilrig uses ismdoor variant; possibly linked
royaldns.” https://www.nccgroup.trust/uk/about-us/newsroom-and- to greenbug threat group.” https://unit42.paloaltonetworks.com/unit42-
events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of- oilrig-uses-ismdoor-variant-possibly-linked-
royalcli-and- greenbug-threat-group/. Accessed: 2019-04-21.
royaldns/. Accessed: 2019-04-18. [70] T. Intelligence and C. P. Research, “Rocket kitten: A campaign with 9
[48] R. Winters, “The eps awakens - part 2.” https://www.fireeye.com/ lives,” 2015.
blog/threat-research/2015/12/the-eps-awakens-part-two.html, Decem- [71] F. T. Intelligence, “China-based cyber threat group uses drop-
ber 2015. Accessed: 2019-04-18. box for malware communications and targets hong kong media
[49] G. Jiang, D. Caselden, and R. Winters, “The eps awakens.” https:// outlets.” https://www.fireeye.com/blog/threat-research/2015/11/china-
www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html, based-threat.html. Accessed: 2019-04-20.
December 2015. Accessed: 2019-04-18. [72] Novetta, “Operation blockbuster: Unraveling the long thread of the
[50] F. L. . F. T. Intelligence, “Hiding in plain sight: Fireeye and microsoft sony attack,” August 2017.
expose,” May 2015. [73] Novetta, “Operation blockbuster: Remote administration tools and
[51] J. Grunzweig and B. Lee, “New attacks linked to c0d0so0 group.” https: content staging malware report,” August 2017.
//unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/. [74] P. Technologies, “Colbat snatch,” December 2016.
Accessed: 2019-04-10.
[75] V. Svajcer, “Multiple cobalt personality disorder.” https:
[52] I. Ahl, “Privileges and credentials: Phished at the request of counsel.”
//blog.talosintelligence.com/2018/07/multiple-cobalt-personality-
https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-
disorder.html, July 2018. Accessed: 2019-04-05.
request-of-counsel.html. Accessed: 2019-04-10.
[76] S. S. Response, Dragonfly: Cyberespionage AttacksAgainst Energy
[53] D. S. C. T. U. T. Intelligence, “Threat group 3390 cyberespionage.”
Suppliers. Symantec, July 2014.
https://www.secureworks.com/research/threat-group-3390-targets-
[77] K. Lab, The Duqu 2.0 technical details. Kaspersky, June 2015.
organizations-for-cyberespionage, August 2015. Accessed: 2019-04-
23. [78] N. Carr, K. Goody, S. Miller, and B. Vengerik, “On the
[54] C. T. U. R. Team, “Bronze union cyberespionage persists despite dis- hunt for fin7: Pursuing an enigmatic and evasive global crimi-
closures.” https://www.secureworks.com/research/bronze-union, June nal operation.” https://www.fireeye.com/blog/threat-research/2018/08/
2017. Accessed: 2019-04-23. fin7-pursuing-an-enigmatic-and-evasive-global-criminal-
[55] D. Legezo, “Luckymouse hits national data center to organize country- operation.html, August 2018. Accessed: 2019-05-01.
level waterholing campaign.” https://securelist.com/luckymouse-hits- [79] F. Plan, N. Fraser, J. O’Leary, V. Cannon, and B. Read,
national-data-center/86083/, June 2018. Accessed: 2019-04-23. “Apt40: Examining a china-nexus espionage actor.” https:
[56] F. Lab, “APT 28: A window into russia’s cyber espionage operations //www.fireeye.com/blog/threat-research/2019/03/apt40-examining-
and a special report,” 2014. a-china-nexus-espionage-actor.html, March 2019. Accessed: 2019-
[57] C. Anthe, P. Chrzan, E. Florio, C. Foster, P. Henry, J. Jones, N. Ng, 05-04.
N. O’Sullivan, D. Pecelj, A. Penta, I. Ragragio, T. Rains, and P. Rebriy, [80] F. Lab, “Suspected chinese cyber espionage group (temp.periscope)
Microsoft Security Intelligence Report, vol. 19. Microsoft, June 2015. targeting u.s. engineering and maritime industries.” https:
[58] S. R. A. I. Team, “APT 28: New espionage operations target mili- //www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-
tary and government organizations.” https://www.symantec.com/blogs/ espionage-group-targeting-maritime-and-
election-security/apt28-espionage-military-government, October 2018. engineering-industries.html, March 2018. Accessed: 2019-05-04.
Accessed: 2019-04-10. [81] K. Baumgartner and M. Golovkin, “The msnmm campaigns the earliest
[59] E. Lab, En Route with Sednit Part 2: Observing the Comings and naikon APT campaigns,” May 2015.
Goings, vol. 1. ESET, October 2016. [82] T. Inc. and D. G. Inc, “Camerashy closing the aperture on china’s unit
[60] D. of Homeland Security and F. B. of Investigation, “Grizzly steppe – 78020,” 2015. Accessed: 2019-01-25.
russian malicious cyber activity,” December 2016. [83] D. Lunghi, J. Horejsi, and C. Pernet, “Untangling the patchwork
[61] M. Dunwoody, A. Thompson, B. Withnell, J. Leathery, cyberespionage group,” October 2018.
M. Matonis, and N. Carr, “Not so cozy: An uncomfortable [84] M. Meltzer, S. Koessel, and S. Adair, “Patchwork APT group targets
examination of a suspected apt29 phishing campaign.” us think tanks.” https://www.volexity.com/blog/2018/06/07/patchwork-
https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy- apt-group-targets-us-think-tanks/, June 2018. Accessed: 2019-04-02.
an-uncomfortable-examination-of-a-suspected- [85] N. G. Andy Settle and A. Toro, Monsoon – analysis of an APT
apt29-phishing-campaign.html, November 2018. Accessed: 2019-04- campaign espionage and data loss under the cover of current affairs,
14. vol. 1. Raytheon - Forcepoint Security Labs, September 2016.
[62] F. Labs, APT 30 and the mechanics of a long-running cyber espionage [86] F.-S. L. S. Response, Blackenergy and Quedagh. F-Secure, 2014.
operation. FireEye, April 2015. [87] G. Research and A. Team, The ProjectSauron APT. Technical analysis.
[63] R. Dumont, “Fake or fake: Keeping up with oceanlotus decoys.” Kaspersky, August 2016.
https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up- [88] S. S. Response, “Backdoor.remsec indicators of compromise,” August
with-oceanlotus-decoys/. Accessed: 2019-04-14. 2016.

26
 [89] S. S. Response, Regin: Top-tier espionage tool enables stealthy surveil- [115] A. K. Sood and S. Zeadally, “A taxonomy of domain-generation
lance. Symantec, Auguest 2014. algorithms,” IEEE Security & Privacy, vol. 14, no. 4, pp. 46–53, 2016.
[90] G. Research and A. Team, Cloud Atlas: RedOctober APT is back in [116] Y. Fu, L. Yu, O. Hambolu, I. Ozcelik, B. Husain, J. Sun, K. Sapra,
style. Kaspersky, December 2014. Accessed: 2019-05-04. D. Du, C. T. Beasley, and R. R. Brooks, “Stealthy domain generation
[91] G. Research and A. Team, Red October” Diplomatic Cyber Attacks algorithms,” IEEE Transactions on Information Forensics and Security,
Investigation. Kaspersky, January 2013. Accessed: 2019-05-04. vol. 12, no. 6, pp. 1430–1443, 2017.
[92] G. Research and A. Team, Red October” – Part Two, the Modules. [117] D. Fifield, C. Lan, R. Hynes, P. Wegmann, and V. Paxson, “Blocking-
Kaspersky, January 2013. Accessed: 2019-05-04. resistant communication through domain fronting.,” Proceedings on
[93] J. Gross and J. Walter, “Puttering into the future. . . .” https: Privacy Enhancing Technologies, vol. 2015, no. 2, pp. 46–64, 2015.
//threatvector.cylance.com/en_us/home/puttering-into-the-future.html, [118] S. Tavor, “Brazking android malware upgraded and targeting brazil-
January 2016. Accessed: 2019-04-23. ian banks.” https://securityintelligence.com/posts/brazking-android-
[94] N. Pantazopoulos, “Decoding network data from a gh0st rat variant.” malware-upgraded-targeting-brazilian-banks/. 2021-07-17.
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/ [119] F. T. Intelligence, “Weekly threat briefs.” https://www.fortiguard.com/
2018/april/decoding-network-data-from-a-gh0st-rat-variant/, April resources/threat-brief/2018/06/08/fortiguard-threat-intelligence-brief-
2018. Accessed: 2019-04-18. june-08-2018. 2018-06-08.
[95] J. Grunzweig, M. Scott, and B. Lee, “New wekby attacks [120] US-CERT, “Malware analysis report- 10135536-b.” https:
use dns requests as command and control mechanism.” //www.cisa.gov/sites/default/files/publications/MAR-10135536-
https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks- B_WHITE.PDF. 2017-11-13.
use-dns-requests-as-command- [121] E. Research, “Okrum and ketrican: an overview of recent ke3chang
and-control-mechanism/, September 2014. Accessed: 2019-04-14. group activity,” December 2017. Accessed: 2019-07-01.
[96] N. Group, “Emissary panda – a potential new malicious tool.” [122] Mandiant, “Highly evasive attacker leverages solarwinds supply
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/ chain to compromise multiple global victims with sunburst
2018/may/emissary-panda-a-potential-new-malicious-tool/, May backdoor.” https://support.solarwinds.com/SuccessCenter/s/article/
2018. Accessed: 2019-04-23. Orion-Improvement-Program?language=en_US. 2022-07-01.
[97] M. Dunwoody, “Apt29 domain fronting with tor.” [123] Mandiant, “Highly evasive attacker leverages solarwinds supply chain
https://www.fireeye.com/blog/threat-research/2017/03/ to compromise multiple global victims with sunburst backdoor.”
apt29_domain_frontin.html. Accessed: 2019-04-14. https://www.mandiant.com/resources/blog/evasive-attacker-leverages-
[98] D. Lassalle, S. Koessel, and S. Adair, “Oceanlotus blossoms: Mass solarwinds-supply-chain-compromises-with-sunburst-backdoor/.
digital surveillance and attacks targeting asean, asian nations, the me- 2022-05-10.
dia, human rights groups, and civil society.” https://www.volexity.com/ [124] Rufus Brown, Van Ta, and J. Wolfram, “Does this look infected?
blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and- a summary of APT41 targeting U.S. state governments.” https://
exploitation-of-asean-nations-the-media-human-rights-and- www.mandiant.com/resources/blog/apt41-us-state-governments. Ac-
civil-society/, November 2017. Accessed: 2019-06-10. cessed: 2023-06-29.
[99] ESET, “Oceanlotus old techniques, new backdoor,” March 2018. [125] G. Holmes, “Evolution of attacks on cisco ios devices.” https:
[100] “Palo Alto - Unit 42. OilReg.” https://pan-unit42.github.io/ //blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices.
playbook_viewer/. Accessed: April 2019. 2015-10-08.
[101] J. Grunzweig and R. Falcone, “Oilrig malware campaign up- [126] TrendMicro, “Remcos malware information.” https:
dates toolset and expands targets.” https://unit42.paloaltonetworks.com/ //success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-
unit42-oilrig-malware-campaign-updates-toolset-and- information?language=en_US&sfdcIFrameOrigin=null. 2019-12-30.
expands-targets/. Accessed: 2019-04-21. [127] “E ARLY C ROW github repository.” https://github.com/ICL-ml4csec/
[102] B. Lee and R. Falcone, “Magic hound campaign attacks saudi targets.” EarlyCrowAPT.
https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-
attacks-saudi-targets/, February 2017. Accessed: 2019-04-23.
[103] Novetta, “Loaders and installers and uninstallers report,” August 2017.
[104] R. Sherstobitoff, “Lazarus resurfaces, targets global banks and bitcoin
users.” https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/
lazarus-resurfaces-targets-global-banks-bitcoin-users/, Feb 2018. Ac-
cessed: 2019-04-08.
[105] V. Matveena, “Secrets of cobalt: How cobalt hackers bypass your
defenses.” https://www.group-ib.com/blog/cobalt, August 2017. Ac-
cessed: 2019-04-05.
[106] S. R. A. I. Team, Dragonfly: Western energy sector targeted by
sophisticated attack group. Symantec, October 2017. Accessed: 2019-
04-09.
[107] “US-CERT at Department of Homeland Security. Russian govern-
ment cyber activity targeting energy and other critical infrastructure
sectors.” https://www.us-cert.gov/ncas/alerts/TA18-074A, March 2018.
Accessed: 2019-04-09.
[108] J. T. Bennett and B. Vengerik, “Behind the carbanak backdoor.”
https://www.fireeye.com/blog/threat-research/2017/06/behind-the-
carbanak-backdoor.html, June 2017. Accessed: 2019-05-01.
[109] F.-S. L. Threat Intelligence, “Nanhaishu rating the south china sea,”
July 2016.
[110] C. Inc., “Unveiling patchwork – the copy-paste apt: A targeted at-
tack caught with cyber deception.” https://cymmetria.com/research/
patchwork-targeted-attack/, 2016. Accessed: 2019-04-02.
[111] K. Lab, The regin platform nation-state ownage of gsm networks.
Kaspersky, November 2014.
[112] K. Born and D. Gustafson, “Detecting DNS tunnels using character
frequency analysis,” arXiv preprint arXiv:1004.4358, 2010.
[113] C. Qi, X. Chen, C. Xu, J. Shi, and P. Liu, “A bigram based real time
dns tunnel detection approach,” Procedia Computer Science, vol. 17,
pp. 852–860, 2013.
[114] D. Plohmann, K. Yakdan, M. Klatt, J. Bader, and E. Gerhards-Padilla,
“A comprehensive measurement study of domain generating malware,”
in 25th USENIX Security Symposium (USENIX Security 16), pp. 263–
278, 2016.

27