Full Report
Authored by Margit Hazenbroek At Fox-IT (part of NCC Group) identifying servers that host nefarious activities is a critical aspect of our threat intelligence. One approach involves looking for anomalies in responses of HTTP servers. Sometimes cybercriminals that host malicious servers employ tactics that involve mimicking the responses of legitimate software to evade detection. However, … Continue reading The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses →
Analysis Summary
# Tool/Technique: Typo Detection in HTTP Responses (The Spelling Police)
## Overview
This concept describes a threat intelligence methodology focused on identifying malicious underground servers by analyzing deviations, specifically typos and textual errors, found within the HTTP response headers served by these targets. Cybercriminals often mimic legitimate software responses to evade common detection methods, but textual slip-ups (fingerprints) in these responses can betray their malicious nature.
## Technical Details
- Type: Technique
- Platform: HTTP Servers (Targeting server responses across the internet)
- Capabilities: Identification of unknown malicious infrastructure via anomaly detection in HTTP header formats, leveraging string similarity metrics like Levenshtein distance. Specifically called out is the detection of extraneous whitespace errors used by servers hosting Cobalt Strike.
- First Seen: The specific technique of leveraging typos is described in research published November 15, 2023, though reference is made to prior work identifying Cobalt Strike via similar means in 2019.
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol**
- T1071.001 - Web Protocols (Malicious C2 infrastructure often uses standard HTTP/HTTPS, making response fingerprinting a way to identify these instances.)
## Functionality
### Core Capabilities
- Proactive searching for unknown malicious servers hosted on the internet.
- Utilizing public scanning data (e.g., Censys) to sample a large batch of HTTP responses.
- Applying string comparison methodologies (Levenshtein distance) to flag responses that deviate from expected RFC-compliant HTTP structures.
### Advanced Features
- Using specific textual errors, such as extraneous whitespace in HTTP responses, as unique fingerprints to confirm high-confidence correlation with known malware infrastructure (e.g., Cobalt Strike Team Servers).
- Recognizing that typos alone are insufficient, requiring combination with other suspicious indicators to confirm malicious intent.
## Indicators of Compromise
- **File Hashes:** N/A (Methodology focuses on network responses, not local artifacts)
- **File Names:** N/A
- **Registry Keys:** N/A
- **Network Indicators:** The methodology identifies *servers* hosting nefarious activities, such as Cobalt Strike C2 infrastructure. Specific redacted examples are not present, but indicators would be **anomalous HTTP response headers** observed from internet-facing servers. Reference is made to prior work citing Cobalt Strike C2 domains (which should be considered defanged).
- **Behavioral Indicators:** Deviations from standardized HTTP response status line and header formats (e.g., presence of extraneous whitespace or misspellings in header values).
## Associated Threat Actors
- Unknown threat actors utilizing servers for malicious activities, specifically including those deploying **Cobalt Strike**.
## Detection Methods
- **Signature-based detection:** Based on known anomalous header patterns or known typos associated with specific malware C2 profiles.
- **Behavioral detection:** Automated scanning coupled with string distance algorithms (like Levenshtein) to identify deviations from expected protocol RFCs in live HTTP responses.
- **YARA rules:** Not explicitly mentioned, but the textual fingerprints lend themselves well to creating pattern-matching rules focused on HTTP response content.
## Mitigation Strategies
- **Prevention measures:** Ensure that all web servers and applications strictly adhere to relevant RFC standards for HTTP response generation, validating headers and status lines before sending them to remote clients.
- **Hardening recommendations:** Implement strict validation and sanitization layers for any automatically generated or templated HTTP responses on infrastructure intended to blend in with legitimate services.
## Related Tools/Techniques
- Cobalt Strike (The article references using this technique to identify Cobalt Strike team servers).
- General HTTP Fingerprinting techniques.
- Threat intelligence techniques leveraging public internet scanners like Censys.