Chinese group hacked the world with BLACKCOFFEE
FireEye and Microsoft have revealed a backdoor called BLACKCOFFEE, which Chinese hacking group APT17 used to break into a variety of high-level targets since 2013.
The command-and-control (C2) concealing tactic has been shut down now, however not before APT17 conducted network intrusions against a variety of targets, including the US government, law firms and IT companies.
Most cyber hackers choose to compromise easily manipulated websites to host command-control communications, which is a very noisy tactic that allows for quick detection of their location.
According to FireEye, though, this is a new trend where actors use highly popular websites’ legitimate functionalities (e.g. posting comments on Microsoft TechNet) to embed encoded commands that only their malware can find and use to communicate back to the threat actor.
In this instance, after investigating TechNet, FireEye discovered that APT17 posted in forum threads and created profile pages to host encoded C2 IP addresses that would direct a variant of the BLACKCOFFEE backdoor to their C2 server.
Interestingly, TechNet’s security was not compromised in this tactic, which could work on other forums and boards as well.
Previously, APT17 had been observed using the popular search engines Google and Bing to obfuscate their activities and host locations from security professionals.