FireEye and Microsoft have revealed a backdoor called BLACKCOFFEE, which Chinese hacking group APT17 used to break into a variety of high-level targets since 2013.
The command-and-control (C2) concealing tactic has been shut down now, however not before APT17 conducted network intrusions against a variety of targets, including the US government, law firms and IT companies.
Most cyber hackers choose to compromise easily manipulated websites to host command-control communications, which is a very noisy tactic that allows for quick detection of their location.
According to FireEye, though, this is a new trend where actors use highly popular websites’ legitimate functionalities (e.g. posting comments on Microsoft TechNet) to embed encoded commands that only their malware can find and use to communicate back to the threat actor.
In this instance, after investigating TechNet, FireEye discovered that APT17 posted in forum threads and created profile pages to host encoded C2 IP addresses that would direct a variant of the BLACKCOFFEE backdoor to their C2 server.
Interestingly, TechNet’s security was not compromised in this tactic, which could work on other forums and boards as well.
Previously, APT17 had been observed using the popular search engines Google and Bing to obfuscate their activities and host locations from security professionals.
“This latest tactic by APT17 of using websites’ legitimate functionalities to conduct their communications shows just how difficult it is for organisations to detect and prevent advanced threats,” said Laura Galante, manager of threat intelligence at FireEye.
“Given its effectiveness, we anticipate that this encoding and obfuscation will become a truly pervasive tactic adopted by threat actors around the world.
“However, by working closely with companies like Microsoft and targeted organisations to develop threat intelligence, we can assist security professionals and disrupt these activities.”
Coffee spill image, via Shutterstock