In an ironic twist, Microsoft’s TechNet Web site has been used by Chinese hackers to hide malware commands. TechNet is a digital security Relevant Products/Services and support site for IT professionals. Security firm FireEye Threat Intelligence discovered the activity working in collaboration with the Microsoft Threat Intelligence Center.

According to a report by FireEye titled “Hiding in Plain Site: FireEye and Microsoft Discover New Obfuscation Tactic,” the activity was the handiwork of Chinese hacker group APT17. The group, also known as Deputy Dog, has been actively attacking organizations including U.S. government entities, defense industry companies, law and IT firms, NGOs, and mining companies, since at least 2013.

Hiding in Plain Sight

The move by APT17 was not an attack Relevant Products/Services against TechNet itself, whose security has not been compromised. Instead, the Chinese team was using the site in order to hide their command-and-control (CnC) IP addresses for the BLACKCOFFEE malware tool. Although other groups have used similar tactics, APT17 took it one step further by embedding encoded IP addresses in legitimate Microsoft profile pages, making it more difficult for IT security professionals to identify the malware’s true CnC addresses.

After discovering the BLACKCOFFEE activity, the FireEye-Microsoft team encoded a sinkhole IP address into the profile pages and forum threads and locked the accounts to prevent the threat actors from making any changes. This approach allowed the team to observe the malware and its victims.

Though the security community has not yet broadly discussed this technique, FireEye said it has observed other threat groups adopting these measures and expect the trend to continue on other community sites. FireEye released indicators of compromise -- artifacts seen on a network that indicate a computer intrusion -- for BLACKCOFFEE and Microsoft released signatures for its anti-malware products.

BLACKCOFFEE’s functionality includes uploading and downloading files; creating a reverse shell; enumerating files and processes; renaming, moving, and deleting files; terminating processes; and expanding its functionality by adding new backdoor commands. FireEye has monitored APT17’s use of BLACKCOFFEE variants since 2013 to masquerade malicious communication as normal Web traffic by disguising the CnC communication as queries to Web search engines.

Other Hackers Doing the Same

APT17 went further to obfuscate its CnC IP address and employed a multi-layered approach for the malware to finally beacon the true CnC IP. The group used legitimate infrastructure Relevant Products/Services, in this case, the ability to post or create comments on forums and profile pages, to embed a string that the malware would decode to find and communicate with the true CnC IP address. This additional obfuscation puts yet another layer between APT17 and the security professionals attempting to chase them down.

FireEye said it has already observed threat actors adopting similar techniques and moving some CnC activity to legitimate Web sites that they do not need to compromise. In the same vein, some threat actors have already begun using social media sites such as Twitter and Facebook for malware distribution and CnC.

APT17’s tactic of using a dead drop resolver and embedding encoded IP addresses as opposed to displaying them in plain text can delay detection, discourage IT staff from discovering the actual CnC IP address, and prevent discovery of the CnC IP via binary analysis. FireEye said it expects that some threat groups are already using this technique, with their own unique variations, and others will also adopt similar measures to hide in plain sight.