Security researchers have discovered an infamous APT group using a new obfuscation technique utilizing Microsoft’s TechNet portal as part of its command and control system.
FireEye claimed that China-based APT17, first discovered back in 2013 and nicknamed ‘Deputy Dog’, has been creating accounts on TechNet and leaving comments which embed an encoded domain.
PCs infected by the group’s BLACKCOFFEE malware are instructed to contact this domain and will then be sent on to the real C&C address for further instructions.
If the group loses the C&C server then it can update the encoded IP address on TechNet to keep control of a victim’s machine, FireEye said.
This multi-layered technique, known by some as a ‘dead drop resolver’, is used to throw the white hats off the scent, the report claimed:
“APT17’s tactic—using a dead drop resolver and embedding encoded IP addresses as opposed to displaying it in plain text—can delay detection, discourage IT staff from discovering the actual CnC IP address, and prevent discovery of the CnC IP via binary analysis.”
In partnership with Microsoft, FireEye has now encoded a sinkhole IP address into the relevant TechNet pages and locked the accounts to prevent the bad guys from making any changes.
FireEye has also released indicators of compromise for BLACKCOFFEE while Microsoft has released signatures for its anti-malware products.
APT17 is known to have targeted US government agencies, as well as organizations from defense, law, IT and mining sectors as well as non-governmental bodies.
Cyber-criminals are increasingly looking for new platforms on which to host C&C IP addresses – for example social media sites like Facebook and Twitter – although APT17 has taken this one stage further with extra obfuscation.
FireEye’s chief security strategist, Jason Steer, argued that it would be difficult for businesses to spot similar tactics going forward.
“The interesting feature of this threat is that it will essentially pull the attackers’ communications closer to key business resources. If the malware can be embedded into critical resources it becomes tougher for businesses to isolate it and filter it out,” he told Infosecurity by email.
“In order to mitigate this threat, businesses will need to employ a mixture of intelligence and advanced security tools. The first step will be to raise awareness among staff about the nature of the operation. However, critical to any defense will be software that can identify, capture and potentially decode the crimeware. The more that can be understood about the attack, the easier it will be to protect business assets.”