This Cyberattack Turns Your Device Into a ‘Zombie’

c2 attack - Blue Bastion

Sure, you know phishing attacks can lead to ransomware attacks. But, how does a bad click actually lead to a compromised computer? Although some attacks drop ransomware directly into the victim’s machine, more sophisticated attacks drop malware that enables Command and Control attacks (a.k.a. C&C or C2 attacks).

For instance, a new Chinese C2 attack framework, called Alchimist, can attack Windows, Liniux, and macOS systems. Yet, this information only becomes helpful once you understand:

  • What is a C2 threat?
  • How to identify a C2 threat.
  • How to defend against a C2 threat.

Let’s dive into what you should know.

What is a C2 Threat?

C2 attacks occur when the malware or tool placed on an endpoint computer can reach out to a malicious command and control server for instructions.

C2 attacks will often take full control of the endpoint device, turning it into a ‘zombie’ device, capable of infecting other devices in the network, hosting cryptomining software, or participating in Distributed Denial of Service (DDoS) attacks.

There are many different types of attacks, and the MITRE ATT&CK attack framework (a global database which keeps track of known adversary threats and tactics)  currently tracks 16 categories of C2 attack types.

Common C2 attacks use Remote Access Trojan (RAT) infections, hacking tools such as Cobalt Strike, or PowerShell commands to take control of the endpoint.

How Can a C2 Attack Threat be Identified?

Modern endpoint detection and response software, firewalls, and network monitoring security features can often catch the deployment of the malicious software used to initiate C2 attacks. However, some attackers successfully evade these tools by using zero-day vulnerabilities or advanced hacking skills. 

So, what can you do to protect yourself against these successful attacks?

Well, if an attacker evades security tools, then effective log files provide the key to detecting the C2 activity.

For instance:

  • Endpoint log files can show unusual software or malware deployed.
  • Firewall logs can detect unusual domains, IP addresses, or port usage.
  • Proxy log files on web proxies or secure web gateways can detect unusual traffic, users, or domains (URLs or IP addresses).
  • DNS log files can show unusual activity or domains.
  • User activity logs can show device activity under users outside of their business hours, or on machines to which the users have no physical access.
An image of a keyboard in front of a screen that reads "You have been hacked!"
Related: Have you been hacked? This network trafic is a key indicator. (click image for full article)

How Can You Defend Against C2 Attacks?

You can use security monitoring tools and services to detect, quarantine, or event prevent C2 activity.

Even further, the US Cybersecurity and Infrastructure Security Agency (CISA) recently released an open-source analytic tool, RedEye, to help parse logs and help visualize C2 activity for defenders.

However, basic security measures can also be very effective in defending against command and control attacks, as well as others.

For example, you can:

  • Enforce an “allow” or whitelist of applications that can be run or installed to prevent the installation of hacking tools or malware.
  • Scan and filter all traffic (network, firewall, etc.).
  • Set up two-factor authentication for all user accounts to make it harder for attackers to add software or navigate the network. 
  • Limit user permissions to limit what software commands can be run on any given endpoint.
  • Monitory for unusual activity, such as:
    • Users accessing unusual networks or devices
    • User logins outside of their normal patterns
    • Files being stored in unusual locations
    • Unusual or new applications installed on devices


Users can also be educated on good security practices such as:

  • Anti-phishing habits:
    • Do not click on untrusted links
    • Do not open attachments from untrusted email addresses
  • Log out of all accounts, close browsers, and shut down systems when done with work.

Help on Defense

Of course, fundamental security measures are much easier to explain than to implement, maintain, and execute.

For instance, while you might acknowledge that log monitoring provides critical information for rapid attack detection, you might discover it to be an overwhelming task to find that data buried within hundreds of thousands, or even millions of logs.

With the global shortage of experienced cybersecurity technicians, many organizations find it extremely difficult to find, recruit, and retain talented internal network security teams – if they can even afford them.

Cybersecurity talent must also be matched with the purchase of security tools that manage such log files and help generate alerts or facilitate investigation. Without the right talent, even the best security tools remain ineffective. And, without the right tools for the job, even the most talented team remains limited in their effectiveness.

Fortunately, you don’t need to handle all of your security needs on your own.

Outsourcing to a cybersecurity specialist remains one of the most inexpensive, yet effective, means of keeping your business secure.

Blue Bastion, along with the networking support of our Ideal Integrations division, can provide the expertise, extra manpower, and tools you need for cybersecurity monitoring at a fraction of the direct costs.

Simply contact us at 412-349-6680, or fill out the form below, and our teams will provide an overview of different tools and services to protect your organization against C2 attacks, as well as many others threats.

But, no matter your choice, as always, stay vigilant.

Secure Your Business With Blue Bastion - Contact Us Today!