Cyber Security- Attacking through Command and Control

Cyber security means the security of cyber systems. Cyber Security secures the computer system from cyber attacks. It protects the system and the personal data, credentials, and passwords. Due to the developments in technology, the risks and the cost to retain the services are becoming higher. Over the decade cyber attacks have raised a lot and one of the most endangered attacks is the Command and Control Attack which is done using Domain Name System (DNS). It is also referred to as C&C or C2 Attack. When an Organization is under this attack, it’s very crucial to get back to the normal stream. Initially, the attack starts infecting the computer system through the firewall backend.

Cyber Security

The act of protecting oneself or software from the illegal or unauthorized use of electronic data is called Cyber Security. Cybersecurity has become so widely used over the years that it is now almost interchangeable with phrases like IT security or information security.

Command and Control Attack

  • The Hackers may enter the system when the user unknowingly clicks any link or downloads an attachment in the Email.

  • It can also enter via infected Software or through any browser plug-in (Security holes).

  • It can happen when the attacker directly installs the malware inside the target system.

As soon as the computer has been successfully infected, communication will be established with the malicious command and control server, indicating that the system is ready to receive commands. The infected machine will carry out the instructions from the C2 server of the attacker, which usually results in the addition of more malware. The Attacker gains complete control over the network when other employees get into the malicious codes.

Examples of Real Incidents with Command and Control Attacks


Apple was under attack in 2013. Hacker Group could not affect all systems, but only a few in Cupertino Campus. The Hackers used java bugs to attack the systems. The Report by Apple revealed that no data was affected or corrupted but only viewed by the attackers.


The Hacker Group that attacked Apple also attacked Microsoft. Here the attackers infected the unfixed bugs to enter the system.

Steps involved in Command and Control Attack


A system inside of an enterprise is infected with malware by Threat actors (typically behind a firewall). Phishing emails, malicious advertising, weak browser plugins and direct installation of the software using USB or disc are all ways to accomplish this.


The C&C channel is established once the first machine has been infected, and the infected system contacts the C&C server to inform it that it is ready to receive commands. The usual way to communicate between the sites and the C&C server is through trusted traffic channels like DNS.


The Command and Control server is created and as long as the malware is not discovered, the infected system can now receive more instructions from the C&C server. This channel will probably be used by the C&C server to give instructions to the infected computer, such as how to install additional malicious software, encrypt data, or even recursively extract data from the infected machine.


If the attackers are eager, they can tell the infected computer to search for vulnerabilities on other servers to migrate laterally over the network by using the C&C server as their command-and-control hub. This can result in the development of a botnet, or network of infected hosts, which can infect the company's whole IT infrastructure.

Devices Attacked through Command and Control

Finding a computer or network that is at risk of infection creates a problem for hackers because the majority of firms are secured from outside threats. Internal network security protections are weaker once they get into the system, thus even if the initially infected device may not be the main target, it is the entry point. The following devices could be the focus of hackers −

  • Internet of Things (IoT) devices

  • Routers and Switches

  • Mobiles, Tabs, and Laptops.

Causes of Command and control Attack

When an attack happens, we may be prone to these causes,

  • Data Stealing − Personal information and other credentials may be theft.

  • Shutdown and Reboot − When the machine is affected it starts shutting down and rebooting itself.

  • Virus Attack − Once the hackers take control over the infected system, they can do anything like spread the malware and corrupt the systems, use sensitive data wrongly, and also for illegal purposes.

Architectures for Command and Control Attack

Command and control attacks employ a variety of server/client architectures for command and control. How the infected machine connects with the command and control server is determined by the architecture. Over time, several architectural designs have been created to minimize discovery and some of them are,

Centralized Architecture

The classic client-server model and the centralized model are extremely similar. The malware that has been placed on the infected device serves as the client, periodically or occasionally dialing home to the server for instructions.

Peer-to-Peer Architecture

It is a double-edged weapon as it is more difficult to detect and also more challenging for the attacker to give the entire botnet commands.

Random Architecture

The most difficult to recognize and counteract is the random C2 architecture. This is because the commands originate from several, arbitrary sources, including emails, content delivery networks (CDNs), social media posts and comments, and so forth.


A hacker often has to stay hidden in the system or network to engage in illegal activity to profit from stolen data. They utilize a command-and-control (C&C) server to accomplish this. C2 servers try to avoid discovery for as long as they can by simulating trustworthy or unmonitored traffic.

Updated on: 11-Apr-2023


Kickstart Your Career

Get certified by completing the course

Get Started