Greg Foss
Security Operations Team Lead

Catching Beaconing Malware

The Difficultly in Detecting Beaconing Malware

When a computer becomes infected with malware, it will usually begin to beacon out to a command and control server. This is one of the ways that commodity malware checks in with its command and control infrastructure to await further instructions.

But it can be difficult to detect this activity. The beaconing can take place at any time or frequency—from once every couple of seconds to once a week (or possibly even longer if you are dealing with an advanced adversary).

To compound this problem, a majority of malware can bypass even the best anti-virus solutions on the market—leaving systems open to risk.

Using Network Monitor to Identify Known Malicious Patterns

In an ideal scenario, you would be able to look into a suspect system and see overt beaconing activity—a dead giveaway that the system has been infected. However, in reality it is never this easy:

Figure 1. PowerShell Empire Default Beacon Trending Figure 1: PowerShell Empire Default Beacon Trending

That said, using Network Monitor, you can take these known malicious traffic patterns and tune your search in order to pick up on generally odd activity. You can then compare this to legitimate activity and contrast it with how traffic should normally look by evaluating the metadata.

There are tons of way to do this, and it varies depending on what you’re looking for, so I’ll just talk about one I used to find an actual infected system on the network about a week ago by profiling network traffic patterns. Here is the query I used:

-DestIP:([10.0.0.0 TO 10.255.255.255] OR [192.0.0.0 TO 192.255.255.255]) AND ((Duration:<7 AND DestBytes:[2000 TO 3000] AND SrcBytes:<1500) OR (Duration:>3600)) AND FlowCompleted:true AND Application:(http OR https OR tcp OR unknown OR other) AND -FileType:* AND -URIPath:* AND -ServerName:* -ContentEncoding:*

This query essentially looks for small packets beaconing outside of the network over long periods of time. Or conversely, it looks for long-running sessions that don’t contain normal web-browsing metadata, as defined by the absence of common criteria.

This query is just one of many possible ways to track down this activity using a Network Monitor layout to track these traffic patterns. After tuning the rule a bit, we are left with one system within the network that fits this criteria and has traffic patterns that are consistent enough for us to investigate.

Figure 2. Network Monitor Shows Traffic Patterns Consistent with Beaconing Actions

Figure 2: Network Monitor Shows Traffic Patterns that are Consistent with Beaconing Actions

Sure enough, once we logged onto the host, we noticed a fake anti-virus / system boost program “System Optimizer Pro” running in the background. This is a program that will ask the user to pay for the professional version of the software to “fix the issues.”

Figure 3. Fake System Optimizer Pro System Boost Program

Figure 3: The Culprit: A Fake System Optimizer Pro System Boost Program

We also found that there was much more than one piece of adware on this host—one of which was a malicious update service that backdoors and installs spyware on any new updates installed through the tool.

Figure 4. Adware Software Updater

Figure 4: Adware Software Updater

As it turns out, a significant number of processes on this system were flagged as suspicious. Further investigation revealed that the endpoint had been infected with spyware.

Figure 5. Further Investigation Reveals Spyware

Figure 5: Further Investigation Reveals Spyware

Looking at the historical data in Network Monitor, we can tell that this system has been infected (by this one sample) for at least one month. Reviewing the processes on the host and active connections, we validated a myriad of additional untrusted services and network connections running on this box—all of which were evading anti-virus and had been present for some time.

Figure 6. Reviewing the Processes Figure 6: Reviewing the Processes

It seems there were multiple culprits here, but one of the main ones was a “backdoored” Google Chrome installer. In total, we ended up removing around 5,000 pieces of malware and unwanted programs from the system.

Figure 7. Total Threats Detected and Removed Figure 7: Total Threats Detected and Removed

Detecting Beaconing Activity from Malware, Solved

Using Network Monitor, you can easily detect beaconing activity—even pinpointing the exact moment of infection all the way up through interaction and data exfiltration.

You could even augment this using deep scripting capabilities (in that you could decide to launch a targeted packet capture or simply detect consistent traffic that matches that patterns described here). All in all, monitoring network activity and trending on known behavioral patterns is a great way to plug the gaps that a host-based anti-virus may miss.

Give it a Try

Want to take this use case for a spin? Download Network Monitor Freemium and transform your physical or virtual server into a network forensic sensor.

Try Network Monitor Freemium.