FRP
FRP, which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet.FRP can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.[1][2][3][4]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | FRP has the ability to use HTTP and HTTPS to enable the forwarding of requests for internal services via domain name.[1] |
| Enterprise | T1059 | .007 | Command and Scripting Interpreter:JavaScript | |
| Enterprise | T1573 | .001 | Encrypted Channel:Symmetric Cryptography | FRP can use STCP (Secret TCP) with a preshared key to encrypt services exposed to public networks.[1] |
| .002 | Encrypted Channel:Asymmetric Cryptography | |||
| Enterprise | T1046 | Network Service Discovery | As part of load balancingFRP can set | |
| Enterprise | T1095 | Non-Application Layer Protocol | FRP can communicate over TCP, TCP stream multiplexing, KERN Communications Protocol (KCP), QUIC, and UDP.[1] | |
| Enterprise | T1572 | Protocol Tunneling | FRP can tunnel SSH and Unix Domain Socket communications over TCP between external nodes and exposed resources behind firewalls or NAT.[1] | |
| Enterprise | T1090 | Proxy | FRP can proxy communications through a server in public IP space to local servers located behind a NAT or firewall.[1] | |
| .003 | Multi-hop Proxy | TheFRP client can be configured to connect to the server through a proxy.[1] | ||
| Enterprise | T1049 | System Network Connections Discovery | FRP can use a dashboard and U/I to display the status of connections from the FRP client and server.[1] | |
Groups That Use This Software
Campaigns
| ID | Name | Description |
|---|---|---|
| C0057 | 3CX Supply Chain Attack | During the3CX Supply Chain Attack,AppleJeus used a compiled version of the publicly availableFRP software to move laterally within the 3CX network.AppleJeus dropped the software in |
| C0043 | Indian Critical Infrastructure Intrusions | Indian Critical Infrastructure Intrusions included the use ofFRP to enable remote access.[7] |
References
- fatedier. (n.d.). What is frp?. Retrieved July 10, 2024.
- NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
- Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
- DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
- Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
- Jeff Johnson, Fred Plan, Adrian Sanchez, Renato Fontana, Jake Nicastro, Dimiter Andonov, Marius Fodoreanu, Daniel Scott. (2023, April 20). 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible. Retrieved August 25, 2025.
- Recorded Future Insikt Group. (2022, April 6). Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group. Retrieved November 21, 2024.