The
following actions usually occur when malicious software installs and communicates
back to a
C&C server:
-
Software called a downloader
automatically downloads and installs malware.
-
A human monitoring the C&C server (attacker) responds to the connection with an action.
Software called a remote access Trojan
(RAT) gives an attacker the ability to examine a
system, extract files, download new files to run on a compromised system, turn on
a system’s
video camera and microphone, take screen captures, capture keystrokes, and run a command
shell.
Attackers will attempt to move laterally throughout a compromised network by gaining
additional
persistent access points. Attackers will also attempt to steal user credentials for
data
collection spread throughout the network. If successful, collected data gets exfiltrated
out of
the network to another environment for further examination.
Attackers move at a slow pace to remain undetected. When a detection occurs, they
will
temporarily go dormant before resuming activity. If an organization eradicates their
presence
from the network, the attackers will start the attack cycle all over again.