A Chinese advanced persistent threat (APT) group relied on Microsoft’s TechNet portal to hide the IP addresses for the command and control (C&C) servers of BLACKCOFFEE, a malware piece used in cyber-espionage campaigns. The IP strings were published in different threads on the forum, profile pages or comments in encrypted form and were accessed by the malware after compromising a system. The method is also known as “dead drop resolver.” Researchers from FireEye and Microsoft Intelligence Center investigated the tactic by locking the pages containing the IPs and sinkholing one of them in order to gain insight into the recent activity of BLACKCOFFEE. The group behind the campaign has been called APT17 and it is also known as DeputyDog, whose wielding of different BLACKCOFFEE variants has been monitored since 2013. Once BLACKCOFFEE is installed on a computer, it can exfiltrate information as well as add new data, create a reverse shell, and log and terminate the running processes. According to the analysis from FireEye, the malware includes the links to the TechNet pages containing the C&C addresses. The numerical string is located between two markers, “@MICR0S0FT” and “C0RP0RATI0N,” in an encoded form.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street