Jef Cozza of Top Tech News on Chinese malicious actors hiding malware command-and-control on Microsoft’s TechNet as part of a concerted effort to attack US government agencies, defense industry, law and IT firms, and more, since as early as 2013:
The move by APT17 was not an attack Relevant Products/Services against TechNet itself, whose security has not been compromised. Instead, the Chinese team was using the site in order to hide their command-and-control (CnC) IP addresses for the BLACKCOFFEE malware tool. Although other groups have used similar tactics, APT17 took it one step further by embedding encoded IP addresses in legitimate Microsoft profile pages, making it more difficult for IT security professionals to identify the malware’s true CnC addresses.
After discovering the BLACKCOFFEE activity, the FireEye-Microsoft team encoded a sinkhole IP address into the profile pages and forum threads and locked the accounts to prevent the threat actors from making any changes. This approach allowed the team to observe the malware and its victims.
Though the security community has not yet broadly discussed this technique, FireEye said it has observed other threat groups adopting these measures and expect the trend to continue on other community sites. FireEye released indicators of compromise — artifacts seen on a network Relevant Products/Services that indicate a computer intrusion — for BLACKCOFFEE and Microsoft released signatures for its anti-malware products.
BLACKCOFFEE’s functionality includes uploading and downloading files; creating a reverse shell; enumerating files and processes; renaming, moving, and deleting files; terminating processes; and expanding its functionality by adding new backdoor commands. FireEye has monitored APT17’s use of BLACKCOFFEE variants since 2013 to masquerade malicious communication as normal Web traffic by disguising the CnC communication as queries to Web search engines.
The entire report is well worth reading and discusses their tradecraft in detail. If you are at all interested in cyber security, this is a must-read.