{ "id": "d582ab33-b219-4e4b-8966-fe7483b8f651", "created_at": "2026-04-06T00:12:10.332062Z", "updated_at": "2026-04-10T03:30:37.647588Z", "deleted_at": null, "sha1_hash": "c0313b9382efe10b7f5beb4c1688f2612f180c5f", "title": "IcedID BackConnect Protocol", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 382118, "plain_text": "IcedID BackConnect Protocol\r\nBy Erik Hjelmvik\r\nPublished: 2022-10-12 · Archived: 2026-04-05 21:09:11 UTC\r\n, \r\nWednesday, 12 October 2022 18:24:00 (UTC/GMT)\r\nThis is a follow-up to my Hunting for C2 Traffic video. But I didn't have time to record a short video this time, so\r\nI wrote a long blog post instead.\r\nUPDATE 2022-11-02\r\nBrad Duncan has released a new pcap file on malware-traffic-analysis.net, which contains an additional C2\r\ncommand (0x12). Our analysis indicates that this command launches a file manager. This blog post has now been\r\nupdated with details about this finding.\r\nUPDATE 2022-11-09\r\nLenny Hansson has released IDS signatures that detect BackConnect traffic. More details further down in this\r\nblog post.\r\nUPDATE 2022-12-05\r\nLenny has updated his IDS signatures to alert on BackConnect C2 traffic from port 443 in addition to 8080. The\r\nsignatures in this blog post have now been updated to Lenny's new rev:2 signatures.\r\nUPDATE 2023-04-14\r\nBrad Duncan made the following suggestion in a toot yesterday:\r\nIf the protocol for this VNC traffic from Qakbot looks the same as the BackConnect traffic from IcedID\r\ninfections, perhaps we can just call it BackConnect Protocol without specifying \"IcedID\"\r\nThis is an excellent idea, since IcedID, QakBot as well as Bazar have all been seen using the same BackConnect\r\nprotocol. We will therefore refer to the protocol described in this blog post as just the “BackConnect Protocol”\r\nfrom now on. This blog post has also been updated accordingly.\r\nUPDATE 2023-10-02\r\nThe release of NetworkMiner 2.8.1 adds a BackConnect protocol parser to NetworkMiner.\r\nIcedID BackConnect C2 Packet Structure\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 1 of 15\n\nThe BackConnect (BC) module uses a proprietary command-and-control (C2) protocol that is pretty straight\r\nforward. Both client (bot) and the C2 server typically send commands and responses as 13 byte packets using the\r\nfollowing structure:\r\nAuth: 4 bytes\r\nCommand: 1 byte\r\nParams: 4 bytes\r\nID: 4 bytes\r\nAuth Field\r\nThe \"Auth\" field is presumably used by the bot and C2 server to verify that the other party is communicating\r\nusing the same protocol and version.\r\nAs mentioned by Group-IB and xors the Auth field is typically 0x974F014A (little endian), but we prefer to use\r\nthe network byte order representation \"4a 01 4f 97\".\r\nIn their IcedID blog post from 2020 Group-IB say:\r\nthe auth field that has not changed since at least version 5 of the IcedID core is the constant\r\n0x974F014A\r\nNevertheless, we recently noticed another BackConnect Auth field being used in the wild. But more on that later.\r\nCommands\r\nThe following list of BackConnect C2 commands has been compiled by combining those mentioned by Group-IB\r\nwith our own analysis of the BackConnect protocol:\r\n0x00 = Bot queries for a task\r\n0x01 = Set sleep timer\r\n0x02 = Bot error\r\n0x03 = Reconnect\r\n0x04 = Start SOCKS\r\n0x05 = Start VNC\r\nWe've also discovered these additional commands in BackConnect C2 traffic that uses the Auth value \"1f 8b 08\r\n08\":\r\n0x11 = Start VNC\r\n0x12 = Start file manager\r\n0x13 = Start reverse shell\r\nCommands 0x04, 0x05, 0x11, 0x12 and 0x13 all cause the bot to connect back to the C2 server using a new\r\nBackConnect session, which will be used to wrap either SOCKS, VNC, file manager or reverse shell traffic.\r\nCommand 0x01: Set Sleep Timer\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 2 of 15\n\nThe set sleep timer command is issued by the C2 server to instruct the bot to sleep for a certain amount of time\r\nbefore requesting a new task from the C2 server again. The sleep time is defined in the four bytes following\r\ndirectly after the 0x01 command. This value is a 32-bit little endian value indicating the number of seconds the bot\r\nshould sleep, i.e. \"3c 00 00 00\" = 0x0000003c = 60 seconds. The most common sleep value seems to be 60\r\nseconds, which is why you'll often see byte sequences like this in IcedID C2 sessions:\r\nzz zz zz zz 01 3c 00 00 00 xx xx xx xx\r\nThe following Wireshark display filter will show BackConnect C2 packets, where the bot is configured to sleep\r\nfor 60 seconds before querying the C2 server for a new command:\r\ntcp.len == 13 and tcp.payload[4:5] == 01:3c:00:00:00\r\nCommand 0x04: Start SOCKS\r\nThe SOCKS command (0x04) instructs the bot to start the SOCKS module. As an example, the following byte\r\nsequence was sent by the IcedID C2 server 91.238.50.80:8080 in Brad Duncan's 2022-06-28 TA578 IcedID pcap\r\non malware-traffic-analysis.net (see frame #10231):\r\n4a 01 4f 97 04 09 00 00 00 8c a2 b1 09\r\nThe first four bytes are the auth value, followed by the Start SOCKS command (04).\r\nAfter receiving this command the bot established a new TCP connection back to the C2 server, where it echoed\r\nback the server's \"Start SOCKS\" command and then started acting like a SOCKS server.\r\nExcept for initially echoing the BackConnect Start SOCKS command the SOCKS module actually seems to be\r\ncompliant with RFC1928, which defines the SOCKS5 protocol. This means that the C2 server can supply an IP\r\naddress and port number to the bot's SOCKS proxy in order to relay a connection to that host through the bot.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 3 of 15\n\nImage: C2 server instructs bot to relay a connection to 188.40.30.100:80\r\nAfter receiving a Start SOCKS command an IcedID bot immediately establishes a new TCP connection to the\r\nspecified IP and port, and relays the application layer data back to the C2 server through the SOCKS connection.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 4 of 15\n\nImage: Update check of Advanced Port Scanner relayed through the infected machine\r\nIn the 2022-06-28 TA578 IcedID pcap the attacker used multiple SOCKS connections to scan the 10.6.21.0/24\r\nnetwork for services running on TCP ports 21, 80, 445 and 4899. That last port (TCP 4899) is typically used by\r\nRadmin VPN, which just so happens to be created by the outfit \"Famatech\" who also develop the \"Advanced Port\r\nScanner\". The attacker also used the SOCKS module to make several HTTPS connections to servers like\r\n18.204.62.252 (tlx.3lift[.]com), 23.94.138.115 (cmd5[.]org) and 74.119.118.137 (cat.da.us.criteo[.]com). The\r\nattacker also proxied connections to 40.97.120.242 and 52.96.182.162 (outlook.live.com) through the infected bot.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 5 of 15\n\nNetworkMiner showing hosts that the bot proxied TLS traffic to\r\nJA3 Fingerprints from Proxied Traffic\r\nSince the SOCKS proxy doesn't touch the application layer data we know that the client TLS handshake packets\r\nare coming from the C2 server rather than from the bot that's running the SOCKS proxy. This means that we can\r\nfingerprint the actual TLS client using JA3.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 6 of 15\n\nAs you can see in the CapLoader screenshot above, most proxied TLS sessions use the\r\ncd08e31494f9531f560d64c695473da9 JA3 hash, but two of them use the rare JA3 hash\r\n598872011444709307b861ae817a4b60. That rare JA3 hash was used only when connecting to outlook.live.com.\r\nCommand 0x05 or 0x11: VNC\r\nBrad Duncan's 2022-06-28 TA578 IcedID pcap also contains the \"Start VNC\" command 0x05.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 7 of 15\n\nImage: Flow transcript of Start VNC command\r\nAs can be seen in the CapLoader screenshot above, Start VNC commands were sent at 16:33:33 and 16:34:06\r\nUTC. And just like the SOCKS command, this caused the bot to establish a new connection back to the C2 server,\r\necho the \"Start VNC\" command and then proceed with the VNC traffic.\r\nImage: Flow transcript of IcedID VNC traffic in ASCII encoding\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 8 of 15\n\nCommand 0x13: Reverse Shell\r\nBrad posted a new capture file with network traffic from another IcedID infection last week (2022-10-04). He also\r\nnoted that the traffic to 51.89.201.236:8080 was different from normal IcedID post-infection traffic.\r\nAfter looking at this C2 traffic I discovered that it was in fact using the IcedID BackConnect protocol outlined in\r\nthis blog post, but the Auth field \"4a 01 4f 97\" had been replaced with \"1f 8b 08 08\".\r\nThat exact byte sequence is a common file header for gzip compressed files (RFC1952), where\r\n1f 8b = GZIP magic\r\n08 = DEFLATE compression\r\n08 = Original file name header present\r\nIcedID has previously been seen using fake gzip file headers in payloads, but this time even the C2 packets\r\ninclude the gzip header!\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 9 of 15\n\nImage: Transcript of TCP session to 51.89.201.236:8080\r\nThe C2 traffic also contained the command 0x13, which I hadn't seen before. Just like the SOCKS and VNC\r\ncommands, this one triggered the bot to establish a new connection back to the C2 server. But the bot sent a task\r\nquery command (00) this time, instead of echoing the C2 server's command (0x13). The new TCP session then\r\ntransitioned into what looks like a reverse shell session.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 10 of 15\n\nImage: Transcript of reverse shell traffic from IcedID BackConnect session\r\nThe reverse shell traffic reveals that the attackers retrieved a list of domain admin users and then executed a\r\nPowerShell script from aicsoftware[.]com. This PowerShell script was used to install CobaltStrike beacon on the\r\nvictim's PC.\r\nCommand 0x12: File Manager\r\nWe discovered the file manager command after this blog post was published. This section has therefore been\r\nadded after the original publication of this blog post.\r\nThe following Wireshark display filter can be used to find file manager commands (0x12) in BackConnect C2\r\ntraffic that uses the \"1f 8b 08 08\" auth value:\r\ntcp.len == 13 and tcp.payload[0:5] == 1f:8b:08:08:12\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 11 of 15\n\nImage: File manager commands in BackConnect C2\r\nThe screenshot above shows that the file manager command was issued three times in 2022-10-31-IcedID-with-DarkVNC-and-Cobalt-Strike-full-pcap-raw.pcap.\r\nImage: BackConnect TCP sessions in CapLoader's Flows view\r\nAs you can see in the two screenshots above, each time a file manager command was issued in the C2 session\r\n(Wireshark screenshot) the bot established a new TCP connection back to the C2 server (CapLoader screenshot).\r\nThe file manager sessions use a proprietary protocol to perform tasks such as listing disks, changing directory and\r\nuploading files.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 12 of 15\n\nWe've identified the following file manager commands:\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 13 of 15\n\nDISK = List drives\r\nCDDIR \u003cpath\u003e = Change directory\r\nPWD = Show current directory\r\nDIR = List current directory\r\nPUT \u003cpath\u003e = Upload file\r\nIDS Signatures\r\nLenny Hansson has released IDS signatures that can detect IcedID (and QakBot) BackConnect traffic. I'd like to\r\nhighlight four of Lenny's signatures here.\r\nAlert on \"sleep 60 seconds\" C2 command, regardless of Auth value:\r\nalert tcp $EXTERNAL_NET [443,8080] -\u003e $HOME_NET 1024: (msg:\"NF - Malware IcedID\r\nBackConnect - Wait Command\"; flow:established; flags:AP; dsize:13; content:\"|01 3c 00 00 00|\";\r\noffset:4; depth:5; reference:url,networkforensic.dk; metadata:02112022; classtype:trojan-activity;\r\nsid:5006006; rev:3;)\r\nAlert on \"start VNC\" C2 command with \"4a 01 4f 97\" Auth:\r\nalert tcp $EXTERNAL_NET [443,8080] -\u003e $HOME_NET 1024: (msg:\"NF - Malware IcedID\r\nBackConnect - Start VNC command\"; flow:established; flags:AP; dsize:13; content:\"|4a 01 4f 97 05|\";\r\noffset:0; depth:5; reference:url,networkforensic.dk; metadata:03112022; classtype:trojan-activity;\r\nsid:5006007; rev:2;)\r\nAlert on \"start VNC\" C2 command with \"1f 8b 08 08\" Auth:\r\nalert tcp $EXTERNAL_NET [443,8080] -\u003e $HOME_NET 1024: (msg:\"NF - Malware IcedID\r\nBackConnect - Start VNC command - 11\"; flow:established; flags:AP; dsize:13; content:\"|1f 8b 08 08\r\n11|\"; offset:0; depth:5; reference:url,networkforensic.dk; metadata:03112022; classtype:trojan-activity;\r\nsid:5006011; rev:2;)\r\nAlert on \"start file manager\" C2 command with \"1f 8b 08 08\" Auth:\r\nalert tcp $EXTERNAL_NET [443,8080] -\u003e $HOME_NET 1024: (msg:\"NF - Malware IcedID\r\nBackConnect - Start file manager command\"; flow:established; flags:AP; dsize:13; content:\"|1f 8b 08\r\n08 12|\"; offset:0; depth:5; reference:url,networkforensic.dk; metadata:03112022; classtype:trojan-activity; sid:5006008; rev:2;)\r\nA zip file containing Lenny's Snort rules can be downloaded from networkforensic.dk.\r\nQuestions and Answers\r\nAllright, that's all I had to say about the IcedID BackConnect C2 protocol. I'm now ready to take your questions.\r\nQ: Is IcedID's BackConnect VNC traffic the same thing as DarkVNC?\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 14 of 15\n\nNo, DarkVNC traffic doesn't use the BackConnect C2 Packet Structure described in this blog post. Also, one\r\ncharacteristic behavior DarkVNC is that the first C2 packet contains a string that looks like one of these:\r\n(COMPUTERNAME)_ADDITIONAL_ID-DARKVNC\r\nBOT-COMPUTERNAME(USERNAME)_ID-REFnnn\r\nUSR-COMPUTERNAME(USERNAME)_ID-REFnnn\r\nAdditionally, the first four bytes in the DarkVNC packets containing one of the strings above is a 32 bit little\r\nendian length field. For more details on DarkVNC, see the archived blog post A short journey into DarkVNC\r\nattack chain from REAQTA.\r\nQ: Is IcedID's BackConnect VNC traffic the same thing as hVNC?\r\nAlmost. hVNC means \"hidden VNC\" and includes any type of malicious VNC server running on a victim's PC,\r\nincluding IcedID's VNC module as well as DarkVNC.\r\nQ: How did you get Wireshark to decode the SOCKS traffic from IcedID BackConnect?\r\n1. Open the pcap file from 2022-06-28 TA578 IcedID\r\n2. Apply display filter: tcp.port eq 8080\r\n3. Right-click, Decode As, TCP port 8080 = SOCKS\r\n4. Display filter: tcp.dstport eq 8080 and tcp.len eq 13 and tcp.payload[0:5] eq 4a:01:4f:97:04\r\n5. Select all packets (Ctrl+A)\r\n6. Edit, Ignore Packets (Ctrl+D)\r\n7. Display filter: socks.dst\r\nQ: Can CapLoader's Protocol Identification feature detect the BackConnect protocol?\r\nThe version used in this blog post (1.9.4) doesn't have a protocol model for the BackConnect protocol, but later\r\nversions can identify IcedID's BackConnect protocol regardless of port. CapLoader version 1.9.5 (and later) also\r\nalerts on BackConnect traffic.\r\nPosted by Erik Hjelmvik on Wednesday, 12 October 2022 18:24:00 (UTC/GMT)\r\nTags: #IcedID#QakBot#QBot#TA578#BackConnect#SOCKS#SOCKS5#VNC#JA3#gzip#PowerShell\r\nSource: https://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nhttps://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol\r\nPage 15 of 15\n\n0x12 0x13 = Start file manager = Start reverse shell \nCommands 0x04, 0x05, 0x11, 0x12 and 0x13 all cause the bot to connect back to the C2 server using a new\nBackConnect session, which will be used to wrap either SOCKS, VNC, file manager or reverse shell traffic.\nCommand 0x01: Set Sleep Timer \n Page 2 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.netresec.com/?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol" ], "report_names": [ "?page=Blog\u0026month=2022-10\u0026post=IcedID-BackConnect-Protocol" ], "threat_actors": [ { "id": "62585174-b1f8-47b1-9165-19b594160b01", "created_at": "2023-01-06T13:46:39.369991Z", "updated_at": "2026-04-10T02:00:03.304964Z", "deleted_at": null, "main_name": "TA578", "aliases": [], "source_name": "MISPGALAXY:TA578", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0", "created_at": "2024-11-01T02:00:52.694476Z", "updated_at": "2026-04-10T02:00:05.410572Z", "deleted_at": null, "main_name": "TA578", "aliases": [ "TA578" ], "source_name": "MITRE:TA578", "tools": [ "Latrodectus", "IcedID" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434330, "ts_updated_at": 1775791837, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c0313b9382efe10b7f5beb4c1688f2612f180c5f.pdf", "text": "https://archive.orkl.eu/c0313b9382efe10b7f5beb4c1688f2612f180c5f.txt", "img": "https://archive.orkl.eu/c0313b9382efe10b7f5beb4c1688f2612f180c5f.jpg" } }