As if CSOs don’t have enough to worry about, there’s word of a new attack vector: Forums and other social media sites are being used to host malware.
The revelation of this obfuscation tactic came this week after an investigation from threat prevention vendor FireEye into suspicious activity on Microsoft’s TechNet forum for IT pros. It was found that APT17, a China-based advanced persistent threat group also called DeputyDog, had posted in forum threads and created profile pages to host encoded CnC IP addresses that would direct a variant of the BlackCoffee backdoor malware to their command and control server.
It’s a technique some in the information security community call a “dead drop resolver.” Encoding the IP address makes it more difficult to identify the true CnC address for network security professionals.
In effect TechNet was the middleman for traffic coming from devices infected by BlackCoffee. The traffic then bounced to the real CnC server. TechNet’s security was not compromised and the threat has been neutralized on that site. But FireEye warns it will be used elsewhere.
BlackCoffee can upload and download files; create a reverse shell; enumerate files and processes; rename, move, and delete files; terminate processes; and expand its functionality by adding new backdoor commands. This particular variant contained one or more URLs that link to the biography sections of attacker-created profiles as well as forum threads that contain comments from those same profiles.
“This latest tactic by APT17 of using websites’ legitimate functionalities to conduct their communications shows just how difficult it is for organizations to detect and prevent advanced threats,” Laura Galante, FireEye’s manager of threat intelligence, said in a release. “Given its effectiveness, we anticipate that this encoding and obfuscation will become a truly pervasive tactic adopted by threat actors around the world.”
The use of BlackCoffee demonstrates threat actors’ evolving use of public websites to hide in plain sight, FireEye said in its report. In the past, threat actors would modify easily compromised websites to host CnC commands and configuration, as observed in the China-based APT1’s WEBCnC suite of backdoors. Now, threat actors are using well-known websites—that they do not need to compromise— to host CnC IP addresses. They simply use the website for legitimate purposes, such as posting forum threads or creating profile pages.
APT17 went further to obfuscate their CnC IP address and employed a multi-layered approach for the malware to finally beacon the true CnC IP,” says FireEye. “They used legitimate infrastructure—the ability to post or create comments on forums and profile pages—to embed a string that the malware would decode to find and communicate with the true CnC IP address. This additional obfuscation puts yet another layer between APT17 and the security professionals attempting to chase them down.”