Organizations may soon be able to detect in real time stealthy “beacons,” like Cobalt Strike, Silver, Empire, Mythic, and Havoc.
Varonis Threat Labs has unveiled Jitter-Trap, a clever new technique that claims to exploit attackers’ own dodgy tactics against them, detecting the randomness cybercriminals use to stay hidden.
“Leveraging the randomness (jitter) that threat actors intentionally introduce to evade detection is definitely a novel approach to detect stealthy beacon traffic used in post-exploitation and command-and-control (C2) communications during cyberattacks,” said Agnidipta Sarkar, chief evangelist at ColorTokens Inc. “However, because jitters occur later in the attack cycle, detecting post-exploitation C2 communications cannot identify the initial compromise.”
According to Varonis (Nasdaq:VRNS), these post-exploitation tools inject random delays (jitter) into their check-ins, hoping to blend in with normal traffic. This ‘natural’ randomness, however, leaves a fingerprint that Jitter-Trap can detect and flag.
How Jitter-Trap sniffs the hidden pattern
Jitter-Trap digs into the timing of network requests made by these beacons, discovering uniform statistical patterns that rarely appear in genuine traffic, and uses them to unmask threats.
“If mathematics can turn an attacker’s evasion tactic into a detection signal, it would be very, very potent to determine the attacker through this behaviour indicator,” Sarkar added.
Varonis researchers said these beacons set a base (sleep) interval (e.g, 60 seconds) and add a jitter (+-20%), producing timed intervals uniformly distributed, between 48s and 72s for this instance. Jitter-Trap flags this as a red signal using statistical tools like Kolmogorov-Smirnov and chi-square tests.
“Sleep and Jitter are parameters related to how the beacon manages its communication or ‘polling’ intervals in the context of post-exploitation frameworks,” Masha Garmiza, security researcher at Varonis, said in a blog post. “The sleep parameter defines the fixed interval of time that the beacon will wait to check in for the next command. The jitter adds randomness to the sleep duration, as opposed to having a fixed sleep time.”
Beyond timing, some beacons randomize payload sizes or generate semi-random URLs each time, as seen with PoshC2 or Silver. When the ratio of unique URLs closely approaches 100%, it raises a behavioral alarm, Garmiza said.
Turning evasion into detection
Beacons represent one of the most difficult-to-detect stages in an attack, enabling stealthy command-and-control (C2) communication long after the initial compromise, thereby threatening data theft, lateral movement, or ransomware deployment.
Bambenek Consulting’s president, John Bambenek, said Jitter-Trap could help stop breaches before they start. “Beaconing is common malware behavior post-exploitation where infected machines reach out for instructions and wait until there are some,” he said. “During this crucial time, the threat actor isn’t doing anything for their final phase of the attack, so if you can reliably detect beaconing behavior, you can interrupt breaches before the threat actor completes their objectives.”
As attackers tweak C2 profiles, shuffle payloads, or obfuscate binaries for evasion against the static detection methods, Jitter-Trap attempts a defense reinvention by focusing on behavioral metadata that attackers can’t easily disguise.
“Even if initial security measures fail to recognize and block a beacon sample, the detection of beacon traffic during the post-exploitation phase remains crucial,” Garmiza added. “ Jitter-Trap demonstrates how patterns of randomness, often employed for evasion, can be leveraged to uncover the presence of such traffic.”
The blog post noted that since jitter-like patterns rarely occur in normal traffic, just 4% compared to 8% for consistent polling, Jitter Trap stands out as a high-precision detection tool in real-world environments.
“Detection of cyber attack patterns is the first and most crucial step in cybersecurity,” said Pareekh Jain, CEO and lead analyst at Pareekh Consulting. “Predefined cybersecurity processes provide predictability, enabling attackers to plan their moves. Introducing randomness into these processes can improve early detection and prevention. This is exactly what solutions such as Jitter-Trap aim to do — disrupt predictability by injecting randomness into the system.”
Further reading:
10 tough cybersecurity questions every CISO must answer
GitHub hit by a sophisticated malware campaign as ‘Banana Squad’ mimics popular repos
How to conduct an effective post-incident review
Phishing campaign abuses Cloudflare Tunnels to sneak malware past firewalls
Third-party risk management is broken — but not beyond repair
No Responses