Malware of the Day – Multi-Modal C2 Communication – Numinon C2

Background
In our “Malware of the Day” series, we have explored a variety of C2 network communication profiles, covering protocols like HTTP, HTTPS, DNS, ICMP, and NTP. Most of these simulations were “unimodal” – meaning the period between subsequent agent check-ins followed a single pattern. Even with jitter introducing some randomization, the core delay and jitter values remained constant, ultimately leading to a single “mode” or peak on a connection timing histogram.

While these focused simulations are valuable for understanding fundamental principles, many real-world compromises do not limit themselves to a single communication profile. Attackers are not required to use only one protocol, port, or beaconing configuration. In fact, they can gain significant advantages by dynamically varying their communication profiles.

I will refer to this capability as Multi-Modal C2. A C2 framework can be considered multi-modal if it can alter its communication characteristics such as protocol (for example, HTTP vs. DNS), timing (delay and/or jitter), or connection state (beaconing vs. persistent) within the same session to serve different operational goals. This adaptability allows attackers to switch between different “modes” of operation based on their immediate needs.

The strategy of combining network communication profiles is not new and has been observed in many sophisticated malware campaigns. For example, Sunburst, the backdoor used in the SolarWinds supply chain attack, famously used DNS for its initial, stealthy “heartbeat” check-ins. Once it identified an interesting target, it would switch to a more robust HTTPS channel for command execution and data transfer.

To read the complete article, see: Active Countermeasures