DeepC2: AI-powered Covert Command and Control on OSNs

TL;DR

DeepC2 introduces an AI-driven method for covert command and control on social networks, enabling attackers to communicate secretly while evading detection and analysis by defenders.

Contribution

It presents a novel neural network-based approach for covert C&C that hides commands within normal content and prevents reverse analysis of attacker identities.

Findings

Commands embedded in tweets are generated efficiently.

Malware can covertly locate the attacker on OSNs.

It is difficult to recover attacker identifiers in advance.

Abstract

Command and control (C&C) is important in an attack. It transfers commands from the attacker to the malware in the compromised hosts. Currently, some attackers use online social networks (OSNs) in C&C tasks. There are two main problems in the C&C on OSNs. First, the process for the malware to find the attacker is reversible. If the malware sample is analyzed by the defender, the attacker would be exposed before publishing the commands. Second, the commands in plain or encrypted form are regarded as abnormal contents by OSNs, which would raise anomalies and trigger restrictions on the attacker. The defender can limit the attacker once it is exposed. In this work, we propose DeepC2, an AI-powered C&C on OSNs, to solve these problems. For the reversible hard-coding, the malware finds the attacker using a neural network model. The attacker's avatars are converted into a batch of feature vectors, and the defender cannot recover the avatars in advance using the model and the feature vectors. To solve the abnormal contents on OSNs, hash collision and text data augmentation are used to embed commands into normal contents. The experiment on Twitter shows that command-embedded tweets can be generated efficiently. The malware can find the attacker covertly on OSNs. Security analysis shows it is hard to recover the attacker's identifiers in advance.