FireEye Exposes APT Actor’s Unique Obfuscation Tactic
APT17 Encoded Command-and-Control Communications on Profiles and Forums of IT Professional Community
MILPITAS, Calif. – May 14, 2015 – FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today's advanced cyber attacks, released the new Intelligence Report “Hiding in Plain Sight: FireEye Exposes Chinese APT Obfuscation Tactic.” FireEye Threat Intelligence and the Microsoft Threat Intelligence Center investigated a new command-and-control (CnC) obfuscation tactic that had been used on Microsoft TechNet, a web portal for IT professionals. FireEye has determined that APT17, a China-based advanced persistent threat group, posted in forum threads and created profile pages to host encoded CnC IP addresses that would direct a variant of the BLACKCOFFEE backdoor to their CnC server. TechNet’s security was not compromised in this tactic, which could work on other forums and boards as well.
APT17 has a history of targeting US government entities, international nongovernment organizations, and private companies from around the world, including in those in the defense industry, law firms, information technology companies, and mining companies. The group has also been one of the few, but growing number of, groups to use popular websites for their legitimate purposes in order to encode their CnC communications. Previously, APT17 had been observed using the popular search engines Google and Bing to obfuscate their activities and host locations from security professionals.
“This latest tactic by APT17 of using websites’ legitimate functionalities to conduct their communications shows just how difficult it is for organizations to detect and prevent advanced threats,” said Laura Galante, Manager, Threat Intelligence, FireEye. “Given its effectiveness, we anticipate that this encoding and obfuscation will become a truly pervasive tactic adopted by threat actors around the world. However, by working closely with companies like Microsoft and targeted organizations to develop threat intelligence, we can assist security professionals and disrupt these activities.”
To learn more about APT17 and their latest operations, please view the full report here.
For businesses and security practitioners, FireEye released Indicators of Compromise (IOCs) for BLACKCOFFEE at: https://github.com/fireeye/iocs. Microsoft has released signatures for its anti-malware products.
About FireEye, Inc.
FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 3,400 customers across 67 countries, including more than 250 of the Fortune 500.
© 2015 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. in the United States and other countries.
Vitor De Souza