FireEye has just released an interesting report on the obfuscation techniques used by China-based APT “Deputy Dog”. The FireEye TI (Threat Intelligence) team reportedly found suspicious activity on Microsoft’s TechNet site, early last year, which appeared to have been related to the BLACKCOFEE malware, a malware supposedly employed by the same group in China.

In late 2014, FireEye Threat Intelligence and the Microsoft Threat Intelligence Center discovered a new Command-and-Control (CnC) obfuscation tactic on Microsoft’s TechNet web portal—a valuable web resource for IT professionals.

The threat group took advantage of the ability to create profiles and post in forums to post encoded C2 for use with a variant of the malware BLACKCOFFEE. This technique can make it difficult for network security professionals to determine the true location of the CnC, and allow the CnC infrastructure to remain active for a longer period of time. TechNet’s security was in no way compromised by this tactic.

Here is a representation of the technique by the FireEye team:

Screen Shot 2015-05-14 at 9.00.09 pm

This is a really smart way of fetching and using the C&C IP address, by the attacker, and detecting this communication is going to be a bit tricky and interesting, and so the adversaries will use these obfuscation techniques more often.

The FireEye team has also shared the Indicators of compromise for this, on Github, which will come in very handy to tune our detection rules.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s