Title: C&C On-Demand: An Empirical Study of Web Application Abuse for Malware Command and Control

Abstract: Web applications (apps) provide a wide array of utilities that are being abused by malware authors as a replacement for attacker-deployed C&C servers. Stopping this Web App-based Command and Control (WACC) requires collaboration between Incident Responders (IRs) and web app providers. However, little research has been done to prove that WACC malware are prevalent enough to warrant such an investment. To this end, we designed Marcea, a malware analysis pipeline to study the prevalence of WACC. Marcea revealed 487 WACC malware in 72 families abusing 30 web apps over the last 15 years. Our research uncovered the number of WACC malware increased by 5.5 times since 2020 and that 86% did not need to connect to an attacker-deployed C&C server. Our study uncovered patterns indicating how specific web apps attract or disincentivize WACC malware. Moreover, web app engagement data collected by Marcea suggests that these malware are active enough to produce up to 5,844,144 access points. To date, we have used Marcea to collaborate with the web app providers to take down 70% of the active WACC malware.

Biography: Mingxuan Yao is a fourth year Ph.D. student in the School of Electrical & Computer Engineering(ECE) at  Georgia Institute of Technology, under the guidance of Professor Brendan Saltaformaggio in the Cyber Forensics Innovation (CyFI) Lab. He finished his Master Degree in Cybersecurity before that. His research interests lie in cyber attack forensics, and binary analysis techniques. His current research focuses on cyber-threats abusing prestigious web services, aiming to adopt different novel strategies to boost the analysis process.