APT group’s malware retrieved C&C IP addresses from Microsoft’s TechNet portal
“A China-based APT group has been using Microsofts TechNet web portal to host encoded Command and Control IP addresses for its BLACKCOFFEE malware, FireEye researchers have revealed.
“While other groups have used legitimate websites to host C&C IP addresses, APT17 took the additional step of embedding encoded C&C IP addresses for the BLACKCOFFEE malware in legitimate Microsoft TechNet profile pages and forum threads, a method some in the information security community call a ‘dead drop resolver’,” the researchers explained in a report (registration required).
“Encoding the IP address makes it more difficult to identify the true C&C address for network security professionals,” they pointed out.
APT17, also known as DeputyDog, has been operating for several years now, targeting US government entities, defense contractors, tech companies, NGOs and other types of organizations.
They use the BLACKCOFFEE malware to upload files to and download them from the targets’ servers, as well as to create backdoors in them.
According to FireEye’s researchers, the group used to disguise C&C communication as queries to web search engines, and now has turned to using public websites such as TechNet to host C&C commands and configuration information.
The encoded IP address is located between two tags, @MICR0S0FT and C0RP0RATI0N, and the code is embedded in profile pages and forum threads.
“After discovering the BLACKCOFFEE activity, the FireEye-Microsoft team encoded a sinkhole IP address into the profile pages and forum threads and locked the accounts to prevent the threat actors from making any changes. This collaborative approach allowed the team to observe the malware and its victims,” the researchers shared.
“This information will help them work with the anti-virus community to generate signatures to identify and clean systems affected by BLACKCOFFEE and alert other forum and message board managers to be on the lookout for this technique.”
In fact, other groups have already been spotted using it.
“Using legitimate websites to conceal C&C communications is a well known technique : social networks such as Facebook and Twitter have been used by cybercrimals for years. This is even true for document filesharing or document-sharing services such as Dropbox and Google Docs. Using steganography and crypto techniques in order to hide in plain sight sensitive informations such as C&C IP addresses in photos will give others opportunities to use others social networks such as Pinterest, Photobucket or Flickr. Identifying and blocking theses C&C channels will be particularly difficult for cybersecurity professionals as in most companies using social media is well established and you can not block them without impeding communication with your customers and colleagues,” Jeff Audenard, products and services security and threat Intelligence manager, Orange – Group Security Directorate, commented to Help Net Security.
“This is yet another example of how malicious actors will look to use highly popular websites to either cover their activities, control their botnets, or indeed to infect unsuspecting visitors to those sites,” says Brian Honan, CEO at BH Consulting. “Using highly popular websites enables criminals to control their botnets without raising suspicion as the related traffic would look normal to most security tools and professionals. Anyone tasked with managing and securing their website, especially those that allow user generated content, should take extra care to ensure it cannot be abused by criminals.”
FireEye has also released indicators of compromise for companies to check whether they have been targeted with BLACKCOFFEE malware.”