ROKRAT malware started with an email about Korean reunification
ROKRAT malware started with an email about Korean reunification

According to a new report from Cisco Talos researchers, the ROKRAT malware is exploiting social media such as Twitter as a command and control communication channel.

The ROKRAT campaign starts, like so many others, with a spear-phishing email complete with a malicious document attached. The first known instance of the malware spoofed an email address of the Korea Global Forum, a group dedicated to the reunification of North and South Korea.

The attachment contains an embedded encapsulated postscript (EPS) object, designed to exploit a common vulnerability (CVE-2013-0808) and download a binary disguised as a .jpg file.

Once this is successful, things start getting really interesting, with the ROKRAT executable (a remote access tool or RAT for short) using legitimate websites for command and control servers. The malware uses Twitter together with two cloud platforms, Yandex and Mediafire, for C&C communications and exfiltration respectively.

SC Media UK spoke to the authors of the report, Warren Mercer, technical leader and Paul Rascagneres, a security researcher, both at Cisco Talos.

“It's all about flying under the radar,” they explained. “If threat actors are able to disguise their traffic as ‘normal', then they are less likely to alert security teams. Disguising malicious activity as connections to social media websites is perfect camouflage, and comes at very little cost to the bad guys.”

Paul Ducklin, senior technologist at Sophos, agrees that it's a matter of hiding in plain sight. “If the IT department notices a weird protocol on a weird port connecting to a weird server, and blocks it pending further investigation, they'll probably get an award,” Ducklin told SC.

Certainly, these communications channels are being utilised for a reason – quite simply, they work. They also “help hide persistence of a breached network”, according to the director of threat research at Webroot, David Kennerley.

What's more, given that social media networks seem in no great hurry to remove ‘unsavoury' content, claiming it's a technical challenge, Kennerley reckons, “We are a long way away from social media outlets being able to detect and block such C&C communications.”

Bharat Mistry, cyber-security consultant at Trend Micro, adds that companies like Twitter would “need to put a program in place to monitor and check site content including URLs posted on their site”, which he admits “is no easy task.”

And, as the managing principal security consultant at Nettitude, Chris Oakley, points out, “Network traffic to those well-known entities is likely to be encrypted, making it difficult to spot which all works in the attacker's favour.”

As does the fact that most companies allow social media access and, as Javvad Malik, security advocate at AlienVault, says, “It is difficult to detect malicious activity going over standard ports to trusted websites.”

All of which explains why this isn't exactly a new move by the operators of such RAT malware.

Paul Ducklin, senior technologist at Sophos, recalls an early case being the now infamous W32/Hybris virus from the year 2000. “This malware very cheekily posted its own encrypted-and-encoded updates into the internet newsgroup alt.comp.virus,” he explains. “The forum was unmoderated, by design, so there was no central authority empowered to remove the malware postings.”

Marco Cova, senior security researcher at Lastline, has a somewhat shorter memory, recalling an example from a couple of years ago. “OnionDuke was also using Twitter (and steganography) for its C&C,” he says. In 2011 there were also cases of “Mebroot using Twitter's trending topics data to generate the domain names it would use for exploiting its victims”.

And just last year, Hammertoss used Twitter to good effect. “A weapon of the APT 29 threat actor group,” Chris Pace, technology advocate at Recorded Future told SC, “Hammertoss searched Twitter for a link to Github and then downloaded an image encrypted with instructions for the malware.”

Around the same time, Twitoor was discovered. This rogue android app pretended to be a porn player but was actually banking malware. It used Twitter for C&C commands to download other malicious apps.

As Thomas Fischer, threat researcher and security advocate at Digital Guardian,  confirms, “Exploiting social media for malware use is not limited to botnet C&C but also domain name registration and generation, and payload downloads.”