Instant Messaging-Based Adversarial C2 Techniques and How to Detect Them

Command and control (C2) has always been a key adversary objective in the compromise of a victim. The quicker an adversary establishes a successful C2 channel in a victim’s network, the faster they can achieve their end objective for impact. Most C2 communications occur over a standard web protocol such as Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS). While using HTTP or HTTPS to “blend in,” adversaries and offensive tool developers often obscure or obfuscate C2 beacon implantation or traffic to evade detection by defenders.

Some examples include introducing random jitter in beacon connection frequency, manipulating operating system (OS) built-in functionality to send and receive the C2 traffic, or hosting C2 servers on well-known cloud services to blend into normal web traffic. However, the threat landscape is always changing, and one of the more recent ways to obscure C2 traffic is by using messaging and collaboration tools such as Telegram and Discord.

Relevance to Industrial Control Systems (ICS)

Even as information technology (IT) and operational technology (OT) networks move to a greater converged state, it remains imperative to acknowledge that cyber security processes and controls should be managed as distinct approaches for IT and OT. While things like patching for vulnerabilities immediately as a fix is released is common best practice for IT, this does not always apply for OT networks due to a variety of OT-specific constraints such as legally enforced maintenance windows, low-risk appetite for downtime in critical systems such as energy transmission or water distribution, or the total inability to patch due to the age of assets that were acquired on a 20 to 30 year lifecycle.

However, there is no denying that this convergence can make it hard to differentiate where the IT network ends and the OT network begins. In fact, in 2022 of all service engagements conducted by Dragos, 50% had a finding related to improper network segmentation.

So, while it is crucial to treat the cyber security of IT and OT differently, it is equally important to acknowledge that lines between IT and OT networks are as blurred as ever. This blurring creates ample opportunity for adversaries to laterally move into OT networks after first obtaining initial access and establishing a C2 channel in the IT network.

Overview of Instant Messaging-Based C2 Communications

Telegram and Discord are both instant messaging services. In recent years there has been an upward trend in offensive tooling using the Telegram and Discord application programming interfaces (API) as a C2 mechanism. The flow of this is generally set up as follows:

Adversary creates a Telegram or Discord bot to send and receive commands.
Adversary creates a Telegram or Discord user account.
Adversary embeds the API key for the bot and the unique identifier of the created user account into the malware.
When the malware executes, it connects to the Telegram or Discord API with the respective API key and user identifier.
Adversary receives telemetry from the victim and sends commands to the infected system through the bot/chat C2 channel.

How to Detect Malicious Communications

C2 communications through Telegram and Discord present a unique detection challenge. Defenders must direct their efforts toward behavioral-focused detection ideology instead of indicator-based detection. Defenders should focus on anomalous network connections and abnormal process behavior.

For communications to and from both platforms, network traffic is conducted between the associated platform and the user – therefore, detecting malicious communications is more difficult than simply alerting on or searching for known C2 domains or IP addresses. Moreover, in most environments, Discord and Telegram network traffic would be unusual but probably not completely unheard of. A key commonality of both mechanisms is that the communications will be to and from the respective API endpoints of the platform: https://telegram.org/api or https://discord.com/api.

This alone is not an indication of malicious behavior; however, if these applications are not sanctioned in your environment, then evidence of the traffic occurring warrants investigation. In addition, most toolkits that include these C2 mechanisms initially perform an external IP lookup for the victim device first by reaching out to IP lookup service API endpoints such as ipify. Observation of frequent communications between the Telegram or Discord API coupled with an API call to an IP lookup service at the beginning of the network traffic is an indicator warranting further investigation. Evidence of HTTP User Agents not commonly found in your environment connecting to the Telegram or Discord API endpoints is another finding that, combined with the other mentioned indicators, may indicate malicious activity.

If you have access to process monitoring tools, then evidence of telegram.exe or discord.exe dropping files to disk or spawning other processes are also worth investigating. In addition, defenders should investigate any processes that appear like native Microsoft Windows processes but have a parent process of discord.exe or telegram.exe or their subprocesses. Processes that contain metadata consistent with Microsoft processes but have spelling mistakes in the metadata or whose associated binaries are not signed by Microsoft should also warrant investigation. Compare properties of potentially suspicious processes with known good baselines of processes from other machines in your environment. Some parent processes spawn Windows processes in a particular manner. Adversaries will attempt to mimic metadata relating to these processes, however, in many cases, the process lineage will not align with legitimate Windows process behavior. The SANS Hunt Evil Poster is a helpful resource for determining the legitimacy of apparent Windows processes according to their respective parent processes.

In Conclusion

The best way to detect these types of C2 mechanisms using instant messaging platforms like Telegram or Discord is to know your environment and understand the baseline of normal network traffic and process events. Maturing your threat detection strategy to include behavioral-based logic that finds anomalous events from the normalcy of your baseline – such as observing high session counts between Discord or Telegram in conjunction with IP lookup service API calls, is the best way to enhance your detection capability for adversaries attempting to hide in the noise.