Hiding in Plain Sight: FireEye and Microsoft Expose Chinese APT Group’s Obfuscation Tactic

In late 2014, FireEye Threat Intelligence and the Microsoft Threat Intelligence Center discovered a Command-and-Control (CnC) obfuscation tactic on Microsoft’s TechNet web portal—a valuable web resource for IT professionals.

The threat group took advantage of the ability to create profiles and post in forums to embed encoded CnC for use with a variant of the malware BLACKCOFFEE. This technique can make it difficult for network security professionals to determine the true location of the CnC, and allow the CnC infrastructure to remain active for a longer period of time. TechNet’s security was in no way compromised by this tactic.

FireEye assesses that APT17, a China-based advanced persistent threat commonly called Deputy Dog, is behind the attempt, as they have employed BLACKCOFFEE since 2013. Additionally, FireEye judges that APT17 has conducted network intrusions against a variety of targets, including the U.S. government, and international law firms and information technology companies. Today, FireEye released Indicators of Compromise (IOCs) for BLACKCOFFEE and Microsoft released signatures for its anti-malware products.

By injecting encoded data onto some of the TechNet pages, the FireEye-Microsoft team was able to gain insight into the malware and the victims. This information will help them work with the anti-virus community to generate signatures to identify and clean systems affected by BLACKCOFFEE and alert other forum and message board managers to be on the lookout for this technique. Though the security community has not yet broadly discussed this technique, FireEye has observed other threat groups adopting these measures and expect this trend to continue on other community sites.

Collaboration in cyber threat intelligence can mobilize network security researchers and drive innovative solutions. FireEye Threat Intelligence and the Microsoft Threat Intelligence Center will continue to look for ways to work together to protect users.

Indicators of Compromise

Indicators of compromise are available on Github at: https://github.com/fireeye/iocs.

Read the full report.