Chinese APT17 exploits Microsoft’s TechNet Portal to Host C&C IPs

The Chinese threat actor known as APT17 and DeputyDog has been using profile pages and forum threads on Microsoft’s TechNet web portal to host IP addresses for command and control (C&C) servers.

Security experts at FireEye and the colleagues at Microsoft Threat Intelligence Center have published a report on the activities of the Chinese group dubbed APT17. The experts found interesting the C&C obfuscation techniques adopted by the threat actors.

Hackers belonging to the APT17 are using the legitimate Microsoft’s TechNet web portal to host IP addresses for command and control (C&C) servers. The IP addresses for C&C servers are encoded by attackers, the encoded string is found in profiles and posts limited with the “@MICROSOFT” and “CORPORATION” tags.

The Chinese APT17 has been targeting United States government organizations, the military, NGOs, defense contractors, law firms, IT firms, and mining companies. One of the tools leveraged by the group is BLACKCOFFEE, a backdoor that can be used to upload and download files, create a reverse shell on the infected system, enumerate files and processes, manipulate files, and terminate processes.

The technique implemented by the attackers allows them to delay detection of malicious activities and the discovery of the C&C server’s IP address.

“After discovering the BLACKCOFFEE activity, the FireEye-Microsoft team encoded a sinkhole IP address into the profile pages and forum threads and locked the accounts to prevent the threat actors from making any changes,” states the report. 

The researchers involved in the investigation who analyzed the hacking tools used by the threat actors noticed the use of the BLACKCOFFEE backdoor, which could be used by attackers to perform several operations on the victim’s machine such as upload/download files, create a reverse shell, manipulate files, and kill processes.

The malware has been used since 2013 by the APT17 and researchers noticed that the C&C servers corresponding to the IP addresses on the Microsoft’s TechNet web portal are now controlling the malicious code.

The strain of BLACKCOFFEE backdoor detected by FireEye contains URLs that point to TechNet forum threads or biography sections in profiles created by the threat actors.

Once the malicious agent obtains the IP address of the C&C is obtained, the malware starts communicating with the server to receive commands and send back the exfiltrated data. The technique allows APT17 operators to improve resilience of the botnet to attacks of law enforcement, even if the C&C changes it is sufficient that malware load the new C&C list hosted on the Microsoft portal.

“If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines,” the companies explained in the report.

FireEye has published the Indicators of compromise on Github.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – APT17, cyber espionage)

[adrotate banner=”13″]