A recent analysis of over 1 million malware samples unveiled a trend where adversaries increasingly exploit the Application Layer of the Open System Interconnection (OSI) model to conduct stealthy Command-and-Control (C2) operations.
By leveraging trusted Application Layer Protocols, attackers are embedding malicious activities within legitimate network traffic, making detection by traditional security measures challenging.
The Role of the Application Layer in Cyberattacks
According to Picus Security, the Application Layer, the seventh layer in the OSI model, is responsible for enabling communication between software applications across networks.
Protocols like HTTP/S, DNS, SMTP, and MQTT are commonly used in this layer to facilitate web browsing, file transfers, email communication, and IoT device interactions.
However, these same protocols are being abused by cybercriminals to mask their activities under the guise of legitimate traffic.
According to the MITRE ATT&CK framework’s T1071 Application Layer Protocol technique, adversaries exploit these protocols to issue commands, exfiltrate data, and maintain persistent access to compromised systems.
The tactic allows attackers to blend seamlessly with routine network operations, evading detection and bypassing security controls.
Key Findings from Malware Analysis
Abuse of Web Protocols (T1071.001)
Web protocols like HTTP and HTTPS are prime targets due to their ubiquity. For example:
The WezRat malware uses HTTPS for encrypted C2 communication, hiding malicious commands within legitimate web traffic. This ensures that security tools relying on plain-text inspection fail to detect the threat.
Similarly, the Glutton malware employs HTTP GET and POST requests for real-time data transfer with its C2 server. By embedding commands within HTTP headers or responses, it mimics normal web traffic patterns.
Exploitation of File Transfer Protocols (T1071.002)
File transfer protocols such as SMB and FTP are also being manipulated in a campaign involving the DarkGate malware, attackers using SMB to deliver malicious scripts and payloads while blending with normal file-sharing operations.
Also, LemonDuck malware leveraged SMB vulnerabilities like EternalBlue (CVE-2017-0144) to transfer files covertly and maintain persistence.
Misuse of Mail Protocols (T1071.003)
Email protocols like SMTP and IMAP are exploited for discreet C2 communication where the Snake Keylogger malware uses SMTP to exfiltrate stolen credentials and keystrokes via email attachments or encoded messages.
Another Trojan identified as Trojan.Win32.Injuke.mlrx relies on email protocols to send intercepted data back to its operators.
DNS-Based Attacks (T1071.004)
DNS is another favored protocol for covert communication where the MadMxShell backdoor encodes data within DNS queries and responses, ensuring compliance with DNS packet size limits while evading detection.
Further, GammaLoad malware employs DNS-over-HTTPS (DoH) for encrypted communication, bypassing traditional DNS monitoring tools.
Publish/Subscribe Protocol Exploitation (T1071.005)
The IOCONTROL malware, targeting IoT devices, uses MQTT over encrypted channels for precise control of compromised systems.
Meanwhile, the WailingCrab malware leverages legitimate MQTT brokers to route malicious traffic, disguising its activities as normal IoT communications.
Implications for Cybersecurity
This report underscores the growing sophistication of adversaries in leveraging trusted network protocols for malicious purposes.
Their ability to embed harmful activities within routine traffic highlights a pressing need for advanced detection mechanisms that go beyond traditional signature-based approaches.
Organizations must adopt proactive measures such as:
- Implementing deep packet inspection tools capable of analyzing encrypted traffic.
- Monitoring behavioral anomalies in protocol usage.
- Deploying threat intelligence frameworks like MITRE ATT&CK to identify and mitigate techniques such as T1071.
The exploitation of Application Layer Protocols represents a significant challenge for cybersecurity professionals worldwide.
As attackers continue to innovate and adapt their techniques, organizations must remain vigilant by investing in advanced detection technologies and fostering a deeper understanding of adversarial tactics.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free