A report released by FireEye, a California based network security firm, exposed an obfuscation tactic a group of Chinese hackers employed that used Microsoft’s TechNet web portal to cloak their botnet from standard counter measures.
The Chinese group of hackers known as APT17, and also known as Deputy Dog, employed public user profiles on Microsoft’s TechNet, a support and troubleshooting website IT professionals, to embed Command and Control (CnC) code for a variant of BLACKCOFFEE malware. The code, while not actually compromising TechNet itself, remained hidden in plain sight on TechNet forums and user profiles, acting an intermediary link for the traffic between BLACKCOFFEE infected machines and APT17.
As Business Insider points out, TechNet’s security wasn’t breached, but it was used to host malware through forum pages and user profiles:
These hackers did not break in to TechNet’s security. Instead they set up ordinary user profiles on TechNet, then stuffed those profiles with malware. They went to forum pages and dropped malware there, too. FireEye called it “hiding in plain sight.”
Hiding the code on TechNet helped shield the traffic from botnet hunters, which actively seeking out such traffic, because any outbound messages would seem to be coming from a secured and verified Microsoft site.
FireEye Threat Intelligence and the Microsoft Threat Intelligence Center discovered the tactic in late 2014 and began their own counter operation by “injecting encoded data onto some of the TechNet pages.” The report goes on to say that from doing this:
“The FireEye-Microsoft team was able to gain insight into the malware and the victims. This information will help them work with the anti-virus community to generate signatures to identify and clean systems affected by BLACKCOFFEE and alert other forum and message board managers to be on the lookout for this technique.”
The report titled “APT17: Hiding in Plain Sight – FireEye and Microsoft Expose Obfuscation Tactic” is available to anyone for free. FireEye hopes to make other forum and message board managers aware of this tactic as they have observed other groups using similar schemes and expect to see it continue.Further reading: FireEye, Microsoft, TechNet