Threat actors may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Threat actors use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Threat actors may chain together multiple proxies to further disguise the source of malicious traffic.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.