Hackers were using Microsoft’s TechNet blog site to distribute Blackcoffee malware, said researchers at FireEye.
The APT17 DeputyDog hackers have been using the blog as a means to hide their activities from security professionals, according to a FireEye research paper entitled “Hiding in Plain Sight: FireEye Exposes Chinese APT Obfuscation Tactic.”
“FireEye has determined that APT17, a China-based advanced persistent threat group, posted in forum threads and created profile pages to host encoded C2 IP addresses that would direct a variant of the Blackcoffee backdoor to their C2 server,” read the paper.
“They used legitimate infrastructure — the ability to post or create comments on forums and profile pages — to embed a string that the malware would decode to find and communicate with the true CnC IP address.”
The researchers said TechNet’s security did not suffer compromise and the tactic could end up used on most forums and blogs. They added the tactic is troublesome as it makes spotting malicious activity more difficult.
“This additional obfuscation puts yet another layer between APT17 and the security professionals attempting to chase them down,” the paper said.
“APT17’s tactic — using a dead drop resolver and embedding encoded IP addresses as opposed to displaying it in plain text — can delay detection, discourage IT staff from discovering the actual CnC IP address, and prevent discovery of the CnC IP via binary analysis.”
The bounty in the scenario, Blackcoffee malware, offers hackers quite a few options.
“Blackcoffee’s functionality includes uploading and downloading files; creating a reverse shell; enumerating files and processes; renaming, moving, and deleting files; terminating processes; and expanding its functionality by adding new backdoor commands,” the paper said.
FireEye said they believe the APT17 hacker group is in China and has mounted high-profile cyber strikes on big name targets including the U.S. government, the defense industry, law firms, information technology companies and mining companies.
FireEye reported successfully shutting down the TechNet operation as part of a joint operation with Microsoft, but warned it expects similar attacks to appear in the future.
“We have already observed threat actors adopting similar techniques and moving some CnC activity to legitimate websites that they do not need to compromise,” the paper said.
“In the same vein, some threat actors have already begun using social media sites such as Twitter and Facebook for malware distribution and CnC.
“FireEye expects that threat groups are already using this technique, with their own unique variations, and others will adopt similar measures to hide in plain sight.”
APT17 is one threat campaign security researchers said could receive sponsorship by the Chinese government.
The Department of Defense (DoD) warned last week China is developing dangerous cyber attack tools that could knock a nation’s infrastructure offline using data stolen during high-profile hacks.
Click here to register to download the FireEye paper.