What is Network Beaconing? Malware / C2 Beaconing Detection

malware

Key Takeaways

Network Beaconing Defined: Network beaconing is a covert communication method used by malware to transmit data back to hackers without triggering alarms.

Evading Detection: Malware leverages network beaconing to maintain communication with a remote server, all while avoiding detection by intrusion detection systems and firewalls.

Infection Sources: Malware can infiltrate systems through various entry points, including phishing emails, malicious documents, counterfeit websites, compromised software, and fraudulent applications.

Maintaining Stealth: Malware uses randomized and jittery beaconing intervals, making it challenging to detect through standard security software.

Detection Challenges: Detecting network beaconing requires a tailored approach based on specific malware behavior and network structures.

Indicators of Beaconing: Watch for signs such as unusual server communications, obscure domain traffic, proxy activity during off-hours, network data surges, direct IP connections, and DNS resolution patterns.

Real-World Example: The SolarWinds breach highlights the sophistication of network beaconing, with attackers remaining undetected for over a year while accessing sensitive data.

Collaboration and Innovation: The cybersecurity community must remain dedicated to innovation and collaboration to protect against the evolving menace of network beaconing.


When you hear the word “beacon,” you might envision a light or fire positioned high as a signal or warning. In the world of malware and cyberattacks, network beaconing also serves as a signal, but with a more nefarious intent. Network beaconing is a tactic used by threat actors to discreetly communicate with a hacker’s server after malware has infiltrated a system.

Understanding Network Beaconing

Network beaconing serves as a covert means for malware to transmit data back to hackers over a network. In today’s landscape of powerful security measures within both operating systems and networks, malware faces the challenge of extracting data without triggering any alarms.

firewall

Modern network security relies on intrusion detection systems and dedicated teams of engineers focused on fortifying network defenses.

However, these assets can only do so much when a company has hundreds of employees actively using the Internet each day. Malware takes advantage of various entry points like phishing schemes, counterfeit websites, compromised software, or fraudulent applications.

Malware stands as one of the most prevalent threats to everyday internet users. The internet is plagued with malware, and infection can occur with something as innocuous as clicking on an advertisement.

So, once malware takes hold of a computer system, what does it do? Most malware lacks artificial intelligence capabilities that would enable them to autonomously wreak havoc upon entering a system.

Instead, they need a means of communication with their controlling hacker to receive instructions on their next steps.

c2 server

This introduces a significant challenge. Establishing a communication pipeline with a remote host runs the risk of triggering the operating system’s firewall or the network intrusion detection system (IDS). To circumvent this obstacle, malware uses network beaconing as an evasion tactic. It periodically emits and receives inconspicuous beacon signals, ensuring that the instructions it receives and the stolen data it responds with go unnoticed.

How Does it Work?

Let’s take this step by step. Imagine I’m a threat actor aiming to infiltrate a computer system.

phishing attack

I begin by sending a phishing email to a select group of 20 employees within a company. This email contains a “maldoc”, short for malicious document, which is a Word document that carries malware hidden inside it.

Once one of the employees opens the email, downloads the document, and opens it on their computer, we are in business. The malware, which has been executed on the employee’s system, contains a beacon that has now landed on its target. This beacon starts sending signals back to the command center, often referred to as the C2 server (Command-and-Control server). The C2 server is under the control of the threat actor orchestrating the attack.

c2 server

With this connection established, the landing zone (infected host) is now in communication with the command center (C2 server). This enables us to send specific instructions to the malware for execution on the infected device. As the malware carries out its tasks, it periodically “beacons” back to the C2 server, providing updates and any information it has collected.

frequency

The crucial aspect of this process is maintaining a beaconing frequency that doesn’t trigger any security alarms. As long as the malware goes undetected, it can continue its data-gathering.

One might think it’s straightforward to spot malware beaconing by looking for consistent network traffic at regular intervals. For instance, if malware were sending HTTP requests from a host to an unfamiliar server every ten minutes, it should raise alarms, right?

Well, it’s more complex than that. Beacons utilize a variety of communication protocols including DNS, SSH, and SMTP. To make matters trickier, they introduce randomness and jitter into their beaconing intervals. Advanced malware makes detection exceptionally challenging for standard security software.

In summary, distinguishing between legitimate and malicious traffic is indeed a formidable task, but it’s not an impossible one.

Detection

Network beaconing defenses rely on various factors, including the specific malware type and the network’s structure. Malware is incredibly tricky, it can exploit any available proxies, leverage your nameservers, and blend in by running within the context of a regular user.

In situations where there’s no immediate threat or awareness of network beaconing, detection can pose significant challenges. However, here are strategies to consider:

Unusual Server Communications: If a system initiates communication with a server that no other device on the network has previously contacted, this anomaly should raise suspicions.

Obscure Domain Traffic: Keep an eye on web traffic directed towards domains with less common top-level domains like .cx or .iq.

Proxy Activity: Watch for increased traffic via unconventional ports or traffic patterns occurring during off-hours. Such irregularities can serve as indicators of malware beaconing, particularly if data is leaving the system when there’s no human presence, such as late at night.

Network Data Surge: Be cautious of unusually high volumes of DNS traffic originating from a single user or recurring patterns in network traffic.

Direct IP Connections: In cases where malware employs direct IP connections, consider using a service to assess the legitimacy of the IP address being used.

DNS Resolution Patterns: When malware relies on DNS to resolve command and control servers, look for telltale signs such as repeated DNS queries for recently created domains, persistent requests for domains tied to a dynamic DNS service, and DNS responses with very low time-to-live values.

Identifying malware beaconing depends greatly on the specific behavior of the malware in question. Unfortunately, there’s no one-size-fits-all detection method, which is why multiple approaches are necessary to potentially identify beaconing traffic. Additionally, specialized beaconing identification frameworks can be leveraged to uncover obscure beaconing tactics effectively.

Examples

SolarWinds is a US-based software company specializing in system management tools for network and infrastructure monitoring. They have an extensive portfolio that caters to thousands of organizations worldwide. One of their prominent offerings is Orion, an IT performance monitoring tool.

SolarWinds fell victim to a major breach dubbed “Sunburst”. In this global attack, a group managed to infiltrate SolarWinds’ network and systems, gaining access to the data of thousands of the company’s customers.

The intriguing part is how the breach unfolded without triggering any alarms. The attackers successfully injected malware into the Orion software.

sunburst

A month later, SolarWinds rolled out an Orion update containing this malware, leading to over 18,000 customer installs.

The attackers amazingly went undetected within SolarWinds’ systems from September 2019 until their discovery in December 2020. Their success relied on their ability to communicate with the command-and-control server while expertly evading network threat detection. Not only did the malware mimic genuine network traffic, but it also conducted meticulous checks to ensure no antimalware or security software tools were active.

The motive behind this attack remains a mystery, primarily because the group remains anonymous. Although the extent of the stolen information remains uncertain, it is clear that this hacking group accessed a substantial amount of data, including sensitive information concerning various US government agencies.

This incident serves as an example of network beaconing executed through malware and a C2 (Command-and-Control) server at an expert level.

Conclusion

Network beaconing is a dangerous and difficult-to-detect attack that has been proven to work on the largest scale. Its capacity to remain unnoticed for long periods while extracting confidential information has made it a significant threat to network protectors.