FireEye,The leader in stopping today's advanced cyber attacks, released the new Intelligence Report “Hiding in Plain Sight: FireEye Exposes Chinese APT Obfuscation Tactic.” FireEye Threat scontrol (C2) obfuscation tactic that had been used on Microsoft TechNet, a web portal for IT professionals. FireEye has determined that APT17, a China-based advanced persistent threat group, posted in forum threads and created profile pages to host encoded C2 IP addresses that would direct a variant of the BLACKCOFFEE backdoor to their C2 server. TechNet’s security was not compromised in this tactic, which could work on other forums and boards as well.
APT17 has a history of targeting US government entities, international nongovernment organizations, and private companies from around the world, including those in the defense industry, law firms, information technology companies, and mining companies. The group has also been one of the few, but growing number of groups, to use popular websites for their legitimate purposes in order to encode their C2 communications. Previously, APT17 had been observed using the popular search engines Google and Bing to obfuscate their activities and host locations from security professionals.
“This latest tactic by APT17 of using websites’ legitimate functionalities to conduct their communications shows just how difficult it is for organizations to detect and prevent advanced threats,” said Laura Galante, Manager, Threat Intelligence, FireEye. “Given its effectiveness, we anticipate that this encoding and obfuscation will become a truly pervasive tactic adopted by threat actors around the world. However, by working closely with companies like Microsoft and targeted organizations to develop threat intelligence, we can assist security professionals and disrupt these activities.”