Malware Beaconing

Malware beaconing is one of the first network-related indications of a botnet or a peer-to-peer (P2P) malware infection. A botnet is network of computers infected with malicious software that’s being controlled by a remote malicious party without the owner’s knowledge. Whereas P2P infections indicate malware that is laterally moving to infect one system after another. After malware infects a vulnerable host, it quickly scans the host environment and initiates a command and control (C2) channel with its creator (i.e. the intruder). The compromised host then initiates regular interval malware beaconing calls out to the C2 infrastructure to await further installation or beginning data exfiltration.

Detect Malware Beaconing Traffic

Threatcare brings a proactive approach to cyber defense through cloud-based simulations that help with risk discovery, while validating your risk mitigation techniques. The browser acts as a Threatcare agent on your host. From your browser once you initiate our malware beaconing simulation, your host makes some GET requests to reclaimed malicious domains that are under Threatcare’s control. Whether you use enterprise or open source threat intelligence feeds, any attempted connection should look suspicious since these once malicious domains have been posted to most threat intelligence feeds. This malware beaconing simulation helps validate your DNS monitoring capabilities, while leveraging your risk discovery strength toward threat intelligence.

Why Detecting Malware Beaconing is Important

Unfortunately rather you’re an enterprise or SMB company, it takes over 6 months on average  before a breach is detected. That’s over 180 days that an unidentified indicators of compromise (IOC) can gain daily insight about your infrastructure. To minimize the the impact an IOC such as malware beaconing can have on your organization, quick response and effective recovery plans need to be leveraged. It’s becoming common practice for these intruders to to do weeks,  upon months of reconnaissance on your infrastructure before initiating a breach. With this tactic, (i.e targeted attacks), intruders have the information they need to build sophisticated malware that can evade your conventional safeguards, e.g. antivirus, anti-malware, and endpoint protection.


Contrary to popular belief, attacks that are targeted to compromise an infrastructure are not as complicated as they seem. Means gathered during the reconnaissance phase, (i.e. social engineering techniques) are simple and positioned so that users will click. Malware beaconing traffic can be mistaken for some types of DNS traffic, regular software updates, and antivirus definition updates. Proactive cyber defenders reduce false positives by leveraging real-world internal network IOC’s against safeguards to ensure secure configurations.

© 2017 Threatcare. All rights reserved.

Click Me