BadPatch Malware Using SMTP on Port 26 for Command and Control
The BadPatch malware family utilizes SMTP on TCP port 26 for covert command and control of Windows systems, an atypical port for SMTP, posing a significant risk of unauthorized access and data exfiltration.
The BadPatch malware family has been observed employing a stealthy command and control (C2) mechanism by communicating over SMTP on TCP port 26. While port 25 is the standard for SMTP, port 26 is sometimes used by legitimate mail transfer agents to avoid conflicts or bypass network restrictions. Adversaries, including BadPatch, exploit this non-standard port to evade detection, making their C2 traffic less conspicuous. This technique allows BadPatch to establish covert communication channels with infected Windows systems, facilitating unauthorized control, data exfiltration, and further malicious activities. Detection engineers should be aware that while some legitimate email services might use port 26, its use by endpoint systems for outbound SMTP is highly suspicious and indicative of potential compromise.
Impact
If the BadPatch malware successfully establishes command and control via SMTP on port 26, compromised Windows systems can be subjected to unauthorized remote access and control. This allows attackers to execute commands, exfiltrate sensitive data, download additional malicious payloads, and further propagate within the network. The covert nature of this C2 channel makes it challenging to detect without specific monitoring, increasing the dwell time for attackers and potentially leading to significant data breaches, system disruption, and financial losses for targeted organizations.
Recommendation
- Deploy the Sigma rule "Detect SMTP on Port 26/TCP" provided in this brief to your SIEM/detection platform and tune it for your environment.
- Investigate all alerts generated by the "Detect SMTP on Port 26/TCP" rule, correlating with endpoint and network logs to identify the source process and destination.
- Review the network traffic logs from sources like Zeek or Corelight to identify any unusual patterns or anomalies associated with TCP port 26, focusing on any identified SMTP-like traffic.
- Implement firewall rules to restrict outbound connections on TCP port 26 from internal workstations, allowing exceptions only for known, legitimate mail servers if applicable.
- Correlate observed network connections to destination port 26 with threat intelligence sources mentioned in the references to identify known malicious indicators.
Detection coverage 1
Detect SMTP on Port 26/TCP
lowDetects network connections using TCP destination port 26, which can indicate covert command and control activity by malware like BadPatch, or legitimate non-standard SMTP traffic.
Detection queries are available on the platform. Get full rules →