In IT security, a beacon refers to malware that primarily serves to send specific information from a compromised target system to the Command-and-Control-Server (C&C). It transmits relevant information (IP, hostname, system information) and thus signals that the target system has been successfully compromised and is awaiting commands from the C&C.
How do Beacons work?
The functionality of a beacon is relatively simple. Generally, these small programs are very simply designed. They collect interesting and relevant information from an infected system and transfer it to the command center (C&C). The most important information here is usually the IP address. Normally, a list of installed applications and excerpts of certain commands are also sent. With this information, the attacker can perform certain actions on the target computer - knowing which EDR system is installed, for example, they can try to disable it. The ultimate goal is to gain control over the system and understand how this system works and what possibilities exist from an attacker's perspective.
What are typical characteristics of Beacons?
Attackers, hackers, and APT want to prevent their beacons from being discovered. Therefore, they use sophisticated techniques to disguise their malware. The malware's code is often obfuscated multiple times and in complex ways to make (automated) analysis more difficult. Disguising as legitimate software is also a proven technique. Generally, the communication is encrypted - so tools from the DPI (Deep Packet Inspection) area cannot detect that it is malware.
While there is very sophisticated malware that relies on specially developed protocols, the majority of beacons use standard protocols like HTTP, HTTPS, DNS, ... to transfer data.
How can Beacons be detected?
Beacons and malware in general don't want to be detected, and the developers of such tools ensure that it's difficult. Nevertheless, there are several ways to detect beacons. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can detect suspicious activities and raise alarms. Endpoint Detection and Response (EDR) systems can also detect beacons. These systems analyze the behavior of programs and can thus detect suspicious activities.
An important tool for defenders is the analysis of network traffic and the behavior of programs on endpoints. With the help of Machine Learning and AI, even unknown beacons can be detected if they show anomalous behavior. From our practice, however, we know that this is a fight against windmills. The attackers are often one step ahead and adapt their malware to avoid detection. In infected systems, there often exist multiple backdoors and beacons to maintain control over the system.
Thank you for your feedback! We will review it and optimize this content.