The so-called Deputy Dog APT group has surfaced again with a means of keeping its command and control servers under wraps that involves Microsoft’s TechNet online resources.
New research published last week by Microsoft and FireEye revealed targeted attacks against organizations have been discovered in which Chinese attackers have created phony profiles on the Microsoft-owned IT resource where the attackers are embedding encoded command and control information used by a variant of the BlackCoffee remote access Trojan.
The use of TechNet is a formidable evasion technique since most signature-based defenses wouldn’t consider such a widely used resource a threat.
In conjunction with the discovery, researchers at RSA Security today released to the public a Python script that decodes the embedded values on a TechNet page and reveals command and control information.
RSA researchers Brian Baskin and Jared Myers said the malware, which they call PNGRAT, was found on two customer networks. They explain that the malware contains a hardcoded URL to the attacker-created TechNet profile page. The malicious code connects to TechNet, decodes the message buried in a string between the characters @MICRO0S0FT and C0RP0RATI0N. Doing so reveals an IP address where further command and control connections await, RSA said.
“It’s not an overly complicated encoding scheme; looking at the malware, it took us about 15 minutes to figure out the encoding,” Myers said. “It uses two characters for every octet of the IP address. It does simple math on each character, adds it up and it ends up resolving the value, which is one octet of the IP address.”
The PNGRAT variant, RSA said, contains a bit of additional functionality, including some features generally confined to crimeware rather than malware used in targeted attacks. The use of TechNet to store command and control information is a time-tested tactic from attackers as they continue to focus on evading detection and keep C&C servers up and running for longer periods of time.
“That’s the problem with this aspect of the attack; TechNet is popular and would not be blocked,” Baskin said. “We’ve seen that same style of attack used before with Gmail and other public websites. Tomorrow, or the week after, or the month after, they could be using this same routine on an Amazon page or any other trusted website out there.”
FireEye’s attributes the attack to DeputyDog, which is also known as APT17, which has used the BlackCoffee malware for two years. Its targets in the past have included government agencies, international law enforcement firms and technology companies. DeputyDog hit media targets in Japan in late 2013 with a rash of malware exploiting a zero-day vulnerability in Internet Explorer. Exploits were disguised as image files and once they were executed, connected to command and control servers and sent stolen data back to the attackers.
RSA refused to provide any details on the two compromised organizations it investigated.
“I would say [the attackers’] mission somewhat successful,” Baskin said. “They were not in the environment as long as they wanted to be, but they were able to get data out.”