EARLYCROW: Detecting APT Malware Command and Control Activities Over HTTPS

Advanced Persistent Threats (APTs) represent a sophisticated and stealthy category of cyberattacks targeting critical organizations globally.

Unlike common malware, APTs employ evasive tactics, techniques, and procedures (TTPs) to remain undetected for extended periods.

Their command-and-control (C&C) communications often mimic legitimate web traffic, making detection particularly challenging for traditional Network Intrusion Detection Systems (NIDS).

To address this challenge, researchers from Imperial College London have introduced EARLYCROW, a novel approach for detecting APT malware C&C activities over HTTP(S).

The EARLYCROW Approach

EARLYCROW is designed to identify malicious network traffic by leveraging contextual summaries derived from network packet captures (PCAP).

Central to its methodology is the introduction of a new multipurpose network flow format called PAIRFLOW, which aggregates behavioral, statistical, and protocol-specific attributes of network traffic.

This enables the system to detect malicious patterns even in encrypted HTTPS communications.

The design of EARLYCROW is informed by a threat model that focuses on four primary cases of APT behavior:

1. Case I: Malware with a hard-coded Fully Qualified Domain Name (FQDN) communicates with C&C servers via HTTP or HTTPS.
2. Case II: Malware connects directly to an IP address embedded in the code, bypassing DNS resolution.
3. Case III: Similar to Case I but uses raw TCP for subsequent communications.
4. Case IV: Similar to Case II but relies on raw TCP instead of HTTP(S).

The system emphasizes detecting TTPs such as fallback channels, protocol impersonation, and low-profile communication patterns, which are often employed by APTs to evade detection.

Key Features of EARLYCROW

• PAIRFLOW Format: PAIRFLOW captures detailed connection-level data, including FQDNs, URLs, user-agent strings, encryption settings, and statistical metrics like packet interarrival times and data exchange ratios.
• Contextual Summaries: By grouping features into profiles for hosts, destinations, and URLs, EARLYCROW builds a comprehensive view of network activity.
• Detection Versatility: The system performs well in scenarios where only encrypted HTTPS traffic is visible, achieving high accuracy without requiring payload decryption.

EARLYCROW was evaluated using real-world datasets containing both known and unseen APT malware samples. Key findings include:

• Achieved a macro-average F1-score of 93.02% on unseen APT samples with a False Positive Rate (FPR) of just 0.74%.
• Demonstrated robustness in detecting evasive TTPs across different deployment scenarios, including cases where only HTTPS traffic was accessible.
• Outperformed baseline systems by effectively leveraging novel features such as data packet exchange idle times and fallback channel detection.

According to the research, EARLYCROW represents a significant advancement in the detection of stealthy APT campaigns.

By focusing on contextual summaries and innovative features tailored to APT TTPs, it provides security teams with an effective tool for early-stage detection of sophisticated threats.

Its ability to operate effectively in both HTTP and HTTPS environments ensures broad applicability across modern network infrastructures.

Further research could expand EARLYCROW’s capabilities to address other forms of malicious communication beyond HTTP(S), such as raw TCP or DNS tunneling.

Additionally, integrating EARLYCROW with existing Security Information and Event Management (SIEM) systems could enhance its operational utility in enterprise environments.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free