Sophisticated evasion techniques adopted in the Op Poisoned Hurricane

Pierluigi Paganini August 11, 2014

Researchers at FireEye have uncovered a new campaign dubbed Poisoned Hurricane characterized by the use of some clever techniques to avoid being detected.

Security experts at FireEye revealed that several Internet infrastructure service providers in the United States and Asia, a financial institution, a government organization located in Asia and a US-based media company suffered targeted cyber attack.

The hacking campaign, dubbed Poisoned Hurricane, was detected for the first time in March 2014, when experts at FireEye detected a PlugX (Kaba) variant that connected to legitimate domains and IP addresses. The instances analyzed by the experts were able to connect to domains such as, and

The attackers used the consolidated tactict to digitally sign of the malicious code with a legitimate certificate, they used a digital certificate from the Police Mutual Aid Association and signed another sample with an expired digital certificate from a company called MOCOMSYS, Inc.

The attackers behind the Poisoned Hurricane campaign used several popular legitimate domains, of course they were re-routing traffic destined for these domains from specific victims.

PlugX malware used in the Poisoned Hurricane campaign was configured to resolve DNS lookups through the nameservers of a company called Hurricane Electric.

Only visitors of the hijacked domains having their PC infected with these PlugX variants were victim of the attack, the researchers at FireEye have identified a total of 21 legitimate domains hijacked by bad actors.

As explained by the expert, anyone can sign up for a free account with the company’s hosted DNS service, which allows users to register a zone and create A records for it, and the A record created can be pointed at any IP address allowing to hijack legitimate domains.

“This sample was configured to resolve DNS lookups via Hurricane Electric’s nameservers of,, and ” “we found that anyone could register for a free account with Hurricane Electric’s hosted DNS service. Via this service, anyone with an account was able to register a zone and create A records for the registered zone and point those A records to any IP address they so desired. The dangerous aspect of this service is that anyone was able to hijack legitimate domains such as Although these nameservers are not recursors and were not designed to be queried directly by end users, they were returning results if queried directly for domains that were configured via Hurricane Electrics public DNS service. Furthermore, Hurricane Electric did not check if zones created by their users were already been registered or are otherwise legitimately owned by other parties.” reports the blog post published by FireEye. 

In time I’m writing, Hurricane Electric was no longer returning answers for these hijacked domains. The analysis conducted on the domains used by bad actors allowed to FireEye to identify the APT that in a parallel operation used Google Code to obfuscate the location of C&C servers.

Poisoned Hurricane domains APT

“While none of these techniques are necessarily new, in combination, they are certainly both creative and have been observed to be effective. Although the resultant C2 traffic can be successfully detected and tracked, the fact that the malware appears to beacon to legitimate domains may lull defenders into a false sense of security,” FireEye researchers added.

These parallel campaigns demonstrate that APT are very active and are specializing their effort to improve evasion capabilities, in the Poisoned Hurricane the attacker shown the knowledge of the following evasion techniques:

    • The use of legitimate digital certificates to sign malware
    • The use of Hurricane Electrics public DNS resolvers to redirect command and control traffic
    • The use of Google Code to obfuscate the location of command and control servers

Pierluigi Paganini

(Security Affairs –  ARP, Poisoned Hurricane)  

you might also like

leave a comment