FireEye Exposes Hackers Hiding Botnet Controls on Microsoft Site

A FireEye investigation reveals that the APT17 hacker group was hiding command and control for a botnet in the comment forums on Microsoft's TechNet site.


One of the key tools used by IT security professionals to defend against botnets is blacklisting the suspected IP address of command and control (C2) nodes. But what happens when those nodes are being discovered through normally valid Website traffic? That's what security firm FireEye is reporting in a new study detailing the activities of the APT17 hacker group, which FireEye believes to be a nation-state threat actor operating from China.

FireEye's investigation found that APT17 was embedding C2 information on the Microsoft TechNet site that was being retrieved from systems infected by Blackcoffee malware.

"What was hardcoded in the Blackcoffee malware was the TechNet profile page to reach out to," Mike Oppenheim, intelligence operations manager for the Threat Intelligence Team at FireEye, told eWEEK.

Oppenheim explained that the malware would look for a specific data string from which to pull the data. He noted that the string would be utilized by the Blackcoffee malware and the decoded value was a C2 IP address owned by the APT17 threat actors.

"What was encoded on the TechNet pages was an encoded string between the tag '@Micr0soft' and 'Corporation,'" Oppenheim said. "The string was encoded on the TechNet page, and to the normal eye you would see in plain sight the tags above and this garbled [encoded] string of characters, which was an encoded C2 IP address."

FireEye tracks multiple threat groups out of China, including APT30, which it recently reported on as actively going after governments and journalists across Southeast Asia and India. FireEye has observed no relationship between APT17 and APT30, according to Oppenheim. He noted that APT17 has unique actions and techniques, tactics and procedures (TTPs) that are different from those utilized by the other groups.

FireEye first detected the Blackcoffee malware during an investigation at a victim network, Oppenheim said. Due to FireEye's sharing policies, Oppenheim said he couldn't reveal which victim network it was.

"However, FireEye observed this malware in use at multiple victim networks and decided to contact Microsoft to work with them to take down this Blackcoffee malware," he said.

Oppenheim added that the discovery is really a credit to the consultants from FireEye's Mandiant Services side and to the analysts working on the FireEye as a Service offering.

"They first identified and discovered this activity, and FireEye was able to deploy detection signatures to the product base," he said.

Defending against an attacker's ability to essentially hide in plain sight on a regular Website is a difficult challenge.

"Forum operators can attempt to conduct quality and control of the data placed on these forum pages," Oppenheim said. "However, to the general public it is difficult to identify a random string on your page as something being utilized for malicious purposes."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.