Chinese APT Syndicate Abuse Microsoft’s Portal

An APT syndicate from China is believed to have exploited the TechNet website of Microsoft so the syndicate could conceal its BLACKCOFFEE malware's CnC (command-and-control) server IP addresses while using the malware for online spying, published softpedia.com dated May 14, 2015.

In a technique called "dead drop resolver," the cyber-criminals publish the IP codes onto the portal, comments alternatively profile pages through various threads by encrypting the codes that the malware would later access following the target system's compromise.

Software Company Microsoft and Security Company FireEye examined this tactic via blocking access to the pages in which were published the IP addresses after which they sinkholed one page for acquiring details about BLACKCOFFEE's latest malicious activity.

The Chinese syndicate in discussion is named APT17 along with another name DeputyDog. This group has been wielding various variants of BLACKCOFFEE an act being watched over since 2013.

The BLACKCOFFEE, when loaded onto a PC, provides the hackers multiple abilities. It enables downloading and uploading documents; elaborating different processes and files; opening reverse shells; deleting, moving and renaming files; introducing fresh backdoor commands; and disabling processes.

As per FireEye, APT17 has been attacking USA's government organizations along with global NGOs (non-governmental organizations) as well as private firms, especially within the defense sector, mining companies, IT (information technology) firms and law companies.

Groups that are small yet increasing in number typically co-opt popular websites' legal functions with an aim to code in their CnC interactions. Earlier, APT17 exploited Bing and Google for disguising its servers and operations.

Global Information Security Researcher Bill Hagestad II who has also written many books on Internet warfare by China observes that the TechNet ruse by APT17 shows Chinese hackers' tactical change. Technewsworld.com reported this, May 15, 2015.

Hagestad adds that the hackers are moving towards being offensive from being defensive. They are also utilizing 'information sharing' methods against people surfing on the Web.

Hagestad explains how people in western countries share information presuming that's helping others. This is being seen as an opportunity among the Chinese to utilize the rules related to 'exchanging technical information' in opposition to other Web-surfers.

» SPAMfighter News - 5/22/2015