FireEye Exposes Hackers Hiding Botnet Controls on Microsoft Site
A FireEye investigation reveals that the APT17 hacker group was hiding command and control for a botnet in the comment forums on Microsoft's TechNet site.One of the key tools used by IT security professionals to defend against botnets is blacklisting the suspected IP address of command and control (C2) nodes. But what happens when those nodes are being discovered through normally valid Website traffic? That's what security firm FireEye is reporting in a new study detailing the activities of the APT17 hacker group, which FireEye believes to be a nation-state threat actor operating from China. FireEye's investigation found that APT17 was embedding C2 information on the Microsoft TechNet site that was being retrieved from systems infected by Blackcoffee malware. "What was hardcoded in the Blackcoffee malware was the TechNet profile page to reach out to," Mike Oppenheim, intelligence operations manager for the Threat Intelligence Team at FireEye, told eWEEK. Oppenheim explained that the malware would look for a specific data string from which to pull the data. He noted that the string would be utilized by the Blackcoffee malware and the decoded value was a C2 IP address owned by the APT17 threat actors.
"What was encoded on the TechNet pages was an encoded string between the tag '@Micr0soft' and 'Corporation,'" Oppenheim said. "The string was encoded on the TechNet page, and to the normal eye you would see in plain sight the tags above and this garbled [encoded] string of characters, which was an encoded C2 IP address."