What is malware beaconing?
Beaconing is a term used within the realm of malware for sending brief and periodic messages from an infected host to a host, which an attacker controls to communicate if the infected host malware is active and operating for further instructions.
Beaconing enables malware to communicate with the command & control server for instructions to exfiltrate data periodically to remain anonymous. A C2 server hosts instructions for malware which can then be used to execute on an infected machine after it's checked in. C2 servers can orchestrate various malicious attacks such as ransomware, distributed denial of service attacks, etc.
A compromised host makes frequent DNS requests to a domain belonging to an attacker-controlled DNS server, letting the attacker respond to the request and obscuring commands within the DNS response. A famous example of malware beaconing is the Sunburst Attack. Sunburst used an intermediary C2 to instruct the backdoor to continue or suspend beaconing. The backdoor was initiated in a passive mode where it did nothing other than check blocklists, sleep, or beacon via DNS. Disguising C&C communications within HTTPS makes it more challenging to notice because multiple security tools cannot decrypt it and see the traffic destination. Communications can be camouflaged entirely as genuine traffic if a trusted cloud service is hijacked from the C2 server.
How can you protect yourself against Malware Beaconing?
These are a few steps to prevent malware from infecting your system.
Keep your computer and software updated.
Use a non-administrative account whenever possible.
Do not click on any suspicious links or ads.
Be careful about opening email attachments or images.
Don't trust pop-up windows that ask you to download software.
Limit your file-sharing.
Even after you've followed these steps, malware can still breach your systems, making it crucial to have multiple lines of defense.
Therefore one can use multiple security tools to check for communication patterns to detect malware beaconing as malware often tries to disguise and hide. If beaconing is seen, here are some steps you can take to remediate C2 activities:
Any external services such as applications should be disabled and completed terminated.
Isolate/Quarantine the infected devices to check for IOCs.
Thwart any suspicious inbound or outbound traffic.
Follow the principle of least privilege to minimize damages to the compromised machines.