Chinese hacking group APT17 and DeputyDog have been using Microsoft website TechNet for mounting attacks on other targets
FireEye researchers have uncovered a major Chinese hacking operation using the Microsoft’s TechNet website. The Chinese hackers namely APT17 and DeputyDog hid malware into the TechNet website to host the command and control server.The experts found interesting the C&C obfuscation techniques adopted by the threat actors.
Hackers used the TechNet web portal to host IP addresses for command and control (C&C) servers. The IP addresses for C&C servers were encoded by attackers, the encoded string is found in profiles and posts limited with the “@MICROSOFT” and “Corporation” tags.
Microsoft, after receiving information from FireEye about the APT threat has plugged the security exploit.
The group, which FireEye has dubbed APT17 is well-known for attacks against defense contractors, law firms, U.S. government agencies and technology and mining company websites.
Microsoft TechNet hosts technical documentation of Microsoft products and is a very popular website with a large forum for question and answers regarding to Microsoft projects.
The hackers, created various accounts on TechNet and then left comments on certain pages. These comments contained the name of encoded command and control domain, which computers infected by APT17’s malware were instructed to contact and obtain instructions. The obfuscation obfuscation technique implemented by the attackers allowed them to delay detection of malicious activities and the discovery of the C&C server’s IP address.
The FireEye researchers found that the hackers had used a malware called BLACKCOFFEE. Blackcoffee allows its handlers to perform several operations on the victim’s machine such as upload/download files, create a reverse shell, manipulate files, and kill processes.
Sometimes, the command-and-control domains are embedded in Blackcoffee malware itself making it easier for the malware to connect with the C & C server.
FireEye has published the Indicators of compromise on Github.