Threat Intelligence, Malware

C&C attacks used plain text to drop malware on Quora and Yahoo! Answers

Security researchers have discovered a series of attacks that use written text on answers forums and other legitimate web sites to launch command and control instructions in order to implant malware and evade detection.

New research published by the Palo Alto Networks Unit 42 group examined two strains of new malware, which the researchers dubbed ‘Confucius' after the Chinese politician and philosopher.

One strain of the malware, called ‘Confucius_A', was linked to backdoor attacks known as Sneepy or ByeBye Shell, discovered by Rapid7 in 2013. The other strain, named ‘Confucius_B', “has a loose link” to attacks associated with Operation Patchwork and The Hangover Report, wrote Palo Alto Networks senior threat researcher Tom Lancaster and malware researcher Micah Yates in a blog post.

The attackers published written text on answers forums like Yahoo! Answers and Quora and used Confucius_A malware to receive command and control instructions and send stolen data. “In most cases where we have been able to identify the droppers, the attack begins with an executable file being sent directly to targets via e-mail,” the researchers noted. The malware also used event invitations, fake updates to software, political and news sites, and pornography to launch droppers.

Imperva director of security strategy Deepak Patel noted that the infection mechanism underscores the need for site owners to take precautions to ensure their sites cannot be compromised. “Use a WAF to protected against attackers trying to add malicious code, or detect already existing web-shells used by attackers,” he wrote to SCMagazine.com.

The Palo Alto Networks researchers believe the Confucius malware strains were developed by attackers in India and are aimed at Pakistani targets, like earlier attacks associated with Hangover, Sneepy, and ByeBye Shell.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.