Command and control server uses a full web backend that lets the attacker directly control the victims via a web browser. These HTTP channels may be plain-text or encrypted with SSL.

Common backends

• IIS
• ASP .NET
• ASPX
• PHP

Common ports

• 80
• 443
• 8080

Malware/Threat actors

Name	Type	Years	Source
icefog	threat actor	2013	icefog.pdf stamp.jsp?tp=&arnumber=7460498&tag=1
Nettraveler	malware	2004-2013	kaspersky-the-net-traveler-part1-final.pdf
Operation Cleaver	threat actor	2012-2013	Cylance_Operation_Cleaver_Report.pdf stamp.jsp?tp=&arnumber=7460498&tag=1
Energetic Bear	threat actor	2010-2014	EB-YetiJuly2014-Public.pdf
Jaku	malware	2015-2016	report_jaku_analysis_of_botnet_campaign_en_0.pdf
GRIZZLY STEPPE	threat actor	2015-2018	GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf
PlugX	malware	2014	GlobalThreatIntelReport.pdf plugx-goes-to-the-registry-and-india.pdf ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf P2P_PlugX_Analysis.pdf
Dukes	ThreatActor	2008-2015	dukes_whitepaper.pdf
Mirage	threat actor	2012-2015	ICIT-Brief-China-Espionage-Dynasty.pdf
Regin	malware	2008-2013	regin-analysis.pdf Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf ICIT-Brief-Know-Your-Enemies-2.0.pdf stamp.jsp?tp=&arnumber=7460498&tag=1
APT28	threat actor	2008-2016	APT28-Center-of-Storm-2017.pdf CYBERWAR-fd_2_.pdf JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf journey-zebrocy-land threat-group-4127-targets-hillary-clinton-presidential-campaign stamp.jsp?tp=&arnumber=7460498&tag=1
ProjectSauron	malware	2011-2016	The-ProjectSauron-APT_research_KL.pdf

Preventions

<Mitigation techniques>

Detections

<Detection techniques>

Toolkit

<Toolkit instructions, if applicable>

Similar techniques

• Peer-to-peer
• IRC
• ICMP
• DNS
• Webshell
• Remote Admin Tools
• Listening Service

References

• Fireye - World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks