Threat group leverages Microsoft's TechNet to communicate with malware

The threat involves BLACKCOFFEE malware, which FireEye has monitored APT17 using since 2013.
The threat involves BLACKCOFFEE malware, which FireEye has monitored APT17 using since 2013.

Researchers with FireEye Threat Intelligence and the Microsoft Threat Intelligence Center have observed a threat group using a command-and-control (C&C) obfuscation tactic leveraging Microsoft's TechNet website – specifically, the forums and profiles section.

The attackers using the technique are a China-based threat group known as APT17, or DeputyDog, which FireEye previously observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies and non-government organizations, according to a report.

The threat involves BLACKCOFFEE malware, which FireEye has monitored APT17 using since 2013. BLACKCOFFEE is capable of uploading and downloading files, moving and renaming and deleting files, terminating processes, adding new backdoor commands and creating a reverse shell, the report indicates.

The ultimate purpose of the tactic is to attempt to hide the true location of the malware's C&C IP address, Mike Oppenheim, intelligence operations manager with the FireEye Threat Intelligence team, told SCMagazine.com in a Thursday email correspondence.

Breaking it down simply, Oppenheim explained that the BLACKCOFFEE malware is programmed to reach out to a Microsoft TechNet page – attacker-created profile pages and forum threads, the report indicates – and look for a keyword string, which in this case is an encoded string between the terms “@Microsoft” and “Corporation.”

“The malware takes this encoded string, decodes it and the decoded string is an IP address that is the true command-and-control node that the BLACKCOFFEE malware will communicate with next,” Oppenheim said. “This IP is like a normal hop point utilized by the attacker and they can conduct other functions once connected.”

Upon discovering the activity and identifying the BLACKCOFFEE malware strings, the teams switched the encoded string to a sinkhole IP address owned by FireEye, Oppenheim said. Additionally, the accounts were locked to prevent changes from being made, the report stated.

“This way the machines with BLACKCOFFEE were communicating with our sinkhole machine and not communicating with the attacker machines,” Oppenheim said. “The machines are still infected with the BLACKCOFFEE malware and we are hoping that working with Microsoft and other security vendors, along with this blog being released, we can help clean up these other systems.”

By using these types of tactics, attackers no longer need to compromise websites and instead can simply rely on creating forum threads or profile pages on legitimate websites. Oppenheim said the technique can be hard to discover and stop.

“Companies can do some filtering on their platforms, but the size of platforms such as Twitter, Facebook, and Google makes it difficult to conduct this at scale,” Oppenheim said. “If you are a forum operator you can review the content more closely on your forums. However, it can be difficult to spot something as malicious if it's a random string of characters.”

Oppenheim said BLACKCOFFEE is getting on systems in the first place via fairly standard means, including spear phishing emails and strategic web compromises.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS