Detecting Beaconing Malware with Network Monitor

The Difficulty in Detecting Beaconing Malware

When it comes to threat detection, you’re taking great measures to protect your organization. Yet threats, such as malware, keep getting in despite the network monitoring tools and enterprise threat detection solutions you have in place.

Picture this: A computer becomes infected with malware and it usually begins to beacon out to a command and control server. This is one of the ways that commodity malware checks in with its command and control infrastructure to await further instructions.

But it can be difficult to detect beaconing malware. The beaconing can occur at any time or frequency — from once every few seconds to once a week (or possibly even longer if you are dealing with an advanced adversary).

To compound this problem, a majority of malware can bypass even the best anti-virus solutions on the market — leaving systems open to risk.

You may be wondering: How can you detect beaconing malware? You need NetMon.

Using NetMon to Identify Known Malicious Patterns

In an ideal scenario, you would be able to look into a suspect system and see overt beaconing activity — a dead giveaway that the system has been infected. However, it is never this easy:

Figure
Figure 1: PowerShell Empire Default Beacon Trending

That said, by using NetMon, you can take these known malicious traffic patterns and tune your search to detect odd activity. You can then compare this to legitimate activity and contrast it with how traffic should normally look by evaluating the metadata.

How do you do it? There are many ways and it varies depending on your search goals. Let’s review one example that shows an actual infected system on the network about a week ago by profiling network traffic patterns.

Here is the query we used:

-DestIP:([10.0.0.0 TO 10.255.255.255] OR [192.0.0.0 TO 192.255.255.255]) AND ((Duration:<7 AND DestBytes:[2000 TO 3000] AND SrcBytes:<1500) OR (Duration:>3600)) AND FlowCompleted:true AND Application:(http OR https OR tcp OR unknown OR other) AND -FileType:* AND -URIPath:* AND -ServerName:* -ContentEncoding:*

This query looks for long-running sessions that don’t contain normal web-browsing metadata, as defined by the absence of common criteria. This is just one way to track down this activity using a NetMon layout to monitor these traffic patterns.

What’s the end result?

After tuning the rule a bit, we have one system within the network that fits this criteria and shows traffic patterns that are consistent enough for us to investigate.

Figure

Figure 2: NetMon Shows Traffic Patterns that are Consistent with Beaconing Actions

Sure enough, once we logged onto the host, we noticed a fake anti-virus/system boost program “System Optimizer Pro” running in the background. This is a program that asks the user to pay for the professional version of the software to “fix the issues.”

Figure

Figure 3: The Culprit: A Fake System Optimizer Pro System Boost Program

We also discovered a malicious update service that backdoors and installs spyware on any new updates installed through the tool.

Figure

Figure 4: Adware Software Updater

It turns out that a significant number of processes on this system were flagged as suspicious. Further investigation revealed that the endpoint had been infected with spyware.

Figure

Figure 5: Further Investigation Reveals Spyware

After reviewing the historical data in NetMon, we learned that this system has been infected (by this one sample) for at least one month. We reviewed the processes on the host and active connections and validated a myriad of additional untrusted services and network connections running on this box — all of which were evading anti-virus and had been present for some time.

Figure

Figure 6: Reviewing the Processes

It seems there were multiple culprits here, but one of the main ones was a “backdoored” Google Chrome installer.

What was the damage? In total, we removed around 5,000 pieces of malware and unwanted programs from the system.

Figure
Figure 7: Total Threats Detected and Removed

Detecting Beaconing Activity from Malware, Solved

With NetMon, you can easily detect beaconing activity — even pinpointing the exact moment of infection all the way up through interaction and data exfiltration.

You could even augment this by using deep scripting capabilities. You could launch a targeted packet capture or simply detect consistent traffic that matches that patterns described here).

All in all, monitoring network activity and trending on known behavioral patterns are great ways to plug the gaps that a host-based anti-virus program may miss.

Give it a Try

Want to take this use case for a spin? Download NetMon Freemium and transform your physical or virtual server into a network forensic sensor.

Try Network Monitor Freemium.