C&C Callback Parent topic

The following actions usually occur when malicious software installs and communicates back to a C&C server:
  • Software called a downloader automatically downloads and installs malware.
  • A human monitoring the C&C server (attacker) responds to the connection with an action. Software called a remote access Trojan (RAT) gives an attacker the ability to examine a system, extract files, download new files to run on a compromised system, turn on a system’s video camera and microphone, take screen captures, capture keystrokes, and run a command shell.
Attackers will attempt to move laterally throughout a compromised network by gaining additional persistent access points. Attackers will also attempt to steal user credentials for data collection spread throughout the network. If successful, collected data gets exfiltrated out of the network to another environment for further examination.
Attackers move at a slow pace to remain undetected. When a detection occurs, they will temporarily go dormant before resuming activity. If an organization eradicates their presence from the network, the attackers will start the attack cycle all over again.