FireEye Threat Intelligence and the Microsoft Threat Intelligence Center investigated a new command-and-control (C2) obfuscation tactic that had been used on Microsoft TechNet, a web portal for IT professionals. FireEye has determined that APT17, a China-based advanced persistent threat group, posted in forum threads and created profile pages to host encoded C2 IP addresses that would direct a variant of the BLACKCOFFEE backdoor to their C2 server. TechNet’s security was not compromised in this tactic, which could work on other forums and boards as well.
APT17 has a history of targeting US government entities, international nongovernment organizations, and private companies from around the world, including in those in the defense industry, law firms, information technology companies, and mining companies. The group has also been one of the few, but growing number of, groups to use popular websites for their legitimate purposes in order to encode their C2 communications. Previously, APT17 had been observed using the popular search engines Google and Bing to obfuscate their activities and host locations from security professionals.
“This latest tactic by APT17 of using websites’ legitimate functionalities to conduct their communications shows just how difficult it is for organizations to detect and prevent advanced threats,” said Laura Galante, Manager, Threat Intelligence, FireEye. “Given its effectiveness, we anticipate that this encoding and obfuscation will become a truly pervasive tactic adopted by threat actors around the world. However, by working closely with companies like Microsoft and targeted organizations to develop threat intelligence, we can assist security professionals and disrupt these activities.”