APT17 is a Chinese-based threat actor group (also known as Deputy Dog) sponsored by the Chinese Ministry of State Security. APT17 has conducted malicious attacks against government and industry within the United States and targeted various industry sectors, including mining, legal, information technology, the defense industry, and many more.
It has been purported that at one time, APT17 used Microsoft’s TechNet blog for its command-and-control operation. However, rather than directly compromise TechNet, the threat actors created bogus profiles and posted the encoded CNC within these technical forums. The goal was to obfuscate their identity and make detection less likely. This tactic is called “hiding in plain sight.”
Other threat groups use legitimate websites to host CnC IP addresses. For example, APT17 was embedding the encoded CnC IP address for BLACKCOFFEE malware in valid Microsoft TechNet profiles pages and forum threads. Threat researchers refer to this method as a drop-dead resolver.
Threat actors will post content, known as a dead drop resolver, on specific Web services with obfuscated IP addresses or domains. Once infected, the victims will reach out to these resolvers for redirection. Encoding the IP address makes it much more difficult for threat researchers to determine the actual CnC address.
BLACKCOFFEE’s functionality is quite diverse. It includes a variety of file operations, process operations, creating a reverse shell, and recently expanding its functionality by adding new backdoor commands. APT17 has been using this technique to camouflage its communications activity since approximately 2013.
Once again, let’s be clear about what the threat actors are trying to accomplish. First, they use well-known websites to host CnC IP addresses. Then they post legitimate forum threads and responses, create profile pages, and more. APT17 then embeds a string that the malware would decode to find and communicate with the real but obfuscated CnC IP address. This additional camouflage puts another layer between APT17 and the security researchers hunting them down.
APT17 has used two MITRE ATT&CK enterprise techniques, including T1583 (Acquire Infrastructure: Web Services) and T1585 (Establish Accounts). They have also shown the discussed affinity for BlackCoffee malware.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.