记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

Hiding in Plain Sight: FireEye and Microsoft Expose Chinese APT Group’s Obfuscation Tactic

2015-05-16 03:25

In late 2014, FireEye Threat Intelligence and the Microsoft Threat Intelligence Center discovered a Command-and-Control (CnC) obfuscation tactic on Microsoft’s TechNet web portal—a valuable web resource for IT professionals.

The threat group took advantage of the ability to create profiles and post in forums to embed encoded CnC for use with a variant of the malware BLACKCOFFEE. This technique can make it difficult for network security professionals to determine the true location of the CnC, and allow the CnC infrastructure to remain active for a longer period of time. TechNet’s security was in no way compromised by this tactic.

FireEye assesses that APT17, a China-based advanced persistent threat commonly called Deputy Dog, is behind the attempt, as they have employed BLACKCOFFEE since 2013. Additionally, FireEye judges that APT17 has conducted network intrusions against a variety of targets, including the U.S. government, and international law firms and information technology companies. Today, FireEye released Indicators of Compromise (IOCs) for BLACKCOFFEE and Microsoft released signatures for its anti-malware products.

Hiding in Plain Sight: FireEye and Microsoft Expose Chinese APT Group’s Obfuscation Tactic - 第1张  | Sec-UN 安全圈By injecting encoded data onto some of the TechNet pages, the FireEye-Microsoft team was able to gain insight into the malware and the victims. This information will help them work with the anti-virus community to generate signatures to identify and clean systems affected by BLACKCOFFEE and alert other forum and message board managers to be on the lookout for this technique. Though the security community has not yet broadly discussed this technique, FireEye has observed other threat groups adopting these measures and expect this trend to continue on other community sites.

Collaboration in cyber threat intelligence can mobilize network security researchers and drive innovative solutions. FireEye Threat Intelligence and the Microsoft Threat Intelligence Center will continue to look for ways to work together to protect users.

Indicators of Compromise

Indicators of compromise are available on Github at: https://github.com/fireeye/iocs.

Read the full report.  


知识来源: www.sec-un.org/hiding-in-plain-sight-fireeye-and-microsoft-expose-chinese-apt-groups-obfuscation-tactic.html

阅读:147133 | 评论:0 | 标签:信息速递 exp

想收藏或者和大家分享这篇好文章→复制链接地址

“Hiding in Plain Sight: FireEye and Microsoft Expose Chinese APT Group’s Obfuscation Tactic”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

求打赏·赞助·支持💖

标签云