The infamous APT17 DeputyDog hackers have been using Microsoft’s TechNet blog to distribute a dangerous Blackcoffee malware, according to researchers at FireEye.
The tactic was revealed in the Hiding in Plain Sight: FireEye Exposes Chinese APT Obfuscation Tactic research paper, which claimed the hackers have been using the blog as a means to hide their activities from security professionals.
“FireEye has determined that APT17, a China-based advanced persistent threat group, posted in forum threads and created profile pages to host encoded C2 IP addresses that would direct a variant of the Blackcoffee backdoor to their C2 server,” read the paper.
“They used legitimate infrastructure – the ability to post or create comments on forums and profile pages – to embed a string that the malware would decode to find and communicate with the true CnC IP address.”
The researchers said TechNet’s security was not compromised and the tactic could be used on most forums and blogs. They added the tactic is particularly troublesome as it makes spotting malicious activity more difficult.
“This additional obfuscation puts yet another layer between APT17 and the security professionals attempting to chase them down,” read the paper.
“APT17’s tactic – using a dead drop resolver and embedding encoded IP addresses as opposed to displaying it in plain text – can delay detection, discourage IT staff from discovering the actual CnC IP address, and prevent discovery of the CnC IP via binary analysis.”
The Blackcoffee malware offers the hackers a variety of powers.
“Blackcoffee’s functionality includes uploading and downloading files; creating a reverse shell; enumerating files and processes; renaming, moving, and deleting files; terminating processes; and expanding its functionality by adding new backdoor commands,” explained the paper.
The APT17 hacker group is believed to be based in China and has mounted high-profile cyber strikes on big name targets including the US government, the defence industry, law firms, information technology companies and mining companies in the past.
FireEye reported successfully shutting down the TechNet operation as part of a joint operation with Microsoft, but warned it expects similar attacks to appear in the very near future.
“We have already observed threat actors adopting similar techniques and moving some CnC activity to legitimate websites that they do not need to compromise,” read the paper.
“In the same vein, some threat actors have already begun using social media sites such as Twitter and Facebook for malware distribution and CnC.
“FireEye expects that threat groups are already using this technique, with their own unique variations, and others will adopt similar measures to hide in plain sight.”
APT17 is one of many threat campaigns believed to be sponsored by the Chinese government.
The US Department of Defense (DoD) warned on Monday that China is developing dangerous cyber attack tools that could knock a nation’s infrastructure offline using data stolen during high-profile hacks.