The Chinese gang known as “APT17” devised the scheme, which uses forum pages and profiles on Microsoft’s TechNet, to cover traffic from machines infected with the group’s Black Coffee malware, FireEye explained in the report, titled “Hiding in Plain Sight: FireEye Exposes Chinese APT Obfuscation Tactic.”
Only the Beginning
Malware typically receives instructions for the malicious activity it’s to perform on a machine from a command-and-control server operated by online miscreants. Those servers often are identified by Net defenders; when an infected machine makes a call to one of them, it tips off defenders that it’s sick, which enables them to clean up the device.
What APT17 did was design Black Coffee to send its command-and-control traffic to TechNet, so it appeared to Net defenders as though infected machines were contacting a legitimate website. The hackers then leveraged profiles on the site they created to contact the malware’s command-and-control server and send instructions to compromised machines.
“This latest tactic by APT17 of using websites’ legitimate functionalities to conduct their communications shows just how difficult it is for organizations to detect and prevent advanced threats,” said FireEye’s Threat Intelligence Manager Laura Galante.
“Given its effectiveness,” she added, “we anticipate that this encoding and obfuscation will become a truly pervasive tactic adopted by threat actors around the world.”
Difficult to Handle
What makes the tactic difficult to identify is that it’s hiding its activity in legitimate network traffic.
“If you’re looking at network traffic on a network infected with Black Coffee, you’re just going to see outbound requests to Microsoft TechNet,” said Mike Oppenheim,intelligence operations manager at FireEye.
“Since TechNet is widely used by IT professionals and IT security professionals around the world,” he told TechNewsWorld, “you’re just going to think this is legitimate traffic from my network to Microsoft TechNet.”
Once FireEye figured out the mechanics of the APT17 scheme, it alerted Microsoft to the situation, and the two companies worked together to unhinge the backdoor malware. First they substituted their code for the APT17 code on the malignant profile pages and redirected the Black Coffee traffic to a site controlled by FireEye. Then Microsoft locked the profile pages so they couldn’t be changed by APT17.
However, that won’t stop APT17 or any other threat actor from using the technique elsewhere — or even on TechNet again, under a different guise.
“It’s definitely a difficult thing to take care of and handle,” Oppenheim said.
Turning Tables on West
APT17 has a history of targeting U.S. government entities and international non-governmental organizations and private companies, including those in the defense industry, law firms, information technology companies and mining companies, noted FireEye.
It is among the small but growing number of groups to co-opt the legitimate purposes of popular websites in order to encode their command-and-control communications. Previously, APT17 used Google and Bing to obfuscate its activities and host locations.
APT17’s TechNet ruse represents a tactical change by Chinese hackers, noted Bill Hagestad II, a global information security researcher and author of several books on Chinese cyberwarfare.
“They’re going from the defensive to the offensive in securing their cyberspace,” he told TechNewsWorld.
“They’re also using the methods by which we share information against us,” Hagestad said.
“We all go to websites for help — from how to change a bike tire to changing oil on our car — and helpful people usually post a link for more information. No one tests the legitimacy of where those links are going to lead people,” he pointed out.
“In the West, everyone shares information with the supposition that we’re helping each other,” Hagestad added. “The Chinese are seeing that as an avenue they can exploit and use our rules of engagement for sharing technical information against us.”