Chinese cyber-spies hid botnet controls in MS TechNet comments

Online spooks hide 'numbers station’ control node in plain sight


Cyber-spies are increasingly attempting to hide their command and control operations in plain sight by burying their command infrastructure in the forums of internet heavyweights, including Microsoft.

FireEye and Microsoft have successfully shut down the Chinese threat actor APT17’s use of the MSFT TechNet blog to hide their hacking operations. State-sponsored hackers were posting comments on TechNet in order to embed encoded commands that only their malware could use.

APT17, a China-based advanced persistent threat group, posted in forum threads and created profile pages to host encoded C2 IP addresses that would direct a variant of the BLACKCOFFEE backdoor to their C2 server. TechNet’s security was not compromised by this tactic, which could also work on other forums and boards.

Most threat actors choose to compromise or hijack easily manipulated websites to host command and control nodes, which is a very noisy tactic that allows for quick detection of their location. APT17’s tactics of embedding phone home instructions on Microsoft’s forums are more subtle, but not unprecedented in the wider field of botnet communications. For example, some zombie networks have previously made use of Twitter profiles as a communication channel. APT17 had been observed using popular search engines including Google and Bing to hide their activities and host locations from security researchers.

“This latest tactic by APT17 of using websites’ legitimate functionalities to conduct their communications shows just how difficult it is for organisations to detect and prevent advanced threats,” said Laura Galante, manager, threat intelligence, FireEye. “Given its effectiveness, we anticipate that this encoding and obfuscation will become a truly pervasive tactic adopted by threat actors around the world.”

APT17 predominantly targets US government entities, the defence industry, law firms, information technology companies, mining companies, and non-governmental organisations. FireEye reckons the group is sponsored by the Chinese government.

A summary of FireEye’s research into APT17 can be found in a blog post here, explaining in more depth in a white-paper (pdf). ®


Other stories you might like

  • The ‘substantial contributions’ Intel has promised to boost RISC-V adoption
    With the benefit of maybe revitalizing the x86 giant’s foundry business

    Analysis Here's something that would have seemed outlandish only a few years ago: to help fuel Intel's future growth, the x86 giant has vowed to do what it can to make the open-source RISC-V ISA worthy of widespread adoption.

    In a presentation, an Intel representative shared some details of how the chipmaker plans to contribute to RISC-V as part of its bet that the instruction set architecture will fuel growth for its revitalized contract chip manufacturing business.

    While Intel invested in RISC-V chip designer SiFive in 2018, the semiconductor titan's intentions with RISC-V evolved last year when it revealed that the contract manufacturing business key to its comeback, Intel Foundry Services, would be willing to make chips compatible with x86, Arm, and RISC-V ISAs. The chipmaker then announced in February it joined RISC-V International, the ISA's governing body, and launched a $1 billion innovation fund that will support chip designers, including those making RISC-V components.

    Continue reading
  • FBI warns of North Korean cyberspies posing as foreign IT workers
    Looking for tech talent? Kim Jong-un's friendly freelancers, at your service

    Pay close attention to that resume before offering that work contract.

    The FBI, in a joint advisory with the US government Departments of State and Treasury, has warned that North Korea's cyberspies are posing as non-North-Korean IT workers to bag Western jobs to advance Kim Jong-un's nefarious pursuits.

    In guidance [PDF] issued this week, the Feds warned that these techies often use fake IDs and other documents to pose as non-North-Korean nationals to gain freelance employment in North America, Europe, and east Asia. Additionally, North Korean IT workers may accept foreign contracts and then outsource those projects to non-North-Korean folks.

    Continue reading
  • Elon Musk says Twitter buy 'cannot move forward' until spam stats spat settled
    A stunning surprise to no one in this Solar System

    Elon Musk said his bid to acquire and privatize Twitter "cannot move forward" until the social network proves its claim that fake bot accounts make up less than five per cent of all users.

    The world's richest meme lord formally launched efforts to take over Twitter last month after buying a 9.2 per cent stake in the biz. He declined an offer to join the board of directors, only to return asking if he could buy the social media platform outright at $54.20 per share. Twitter's board resisted Musk's plans at first, installing a "poison pill" to hamper a hostile takeover before accepting the deal, worth over $44 billion.

    But then it appears Musk spotted something in Twitter's latest filing to America's financial watchdog, the SEC. The paperwork asserted that "fewer than five percent" of Twitter's monetizable daily active users (mDAUs) in the first quarter of 2022 were fake or spammer accounts, which Musk objected to: he felt that figure should be a lot higher. He had earlier proclaimed that ridding Twitter of spam bots was a priority for him, post-takeover.

    Continue reading

Biting the hand that feeds IT © 1998–2022