As part of Cyber Squared’s continued Threat Intelligence research regarding sophisticated threats and their use of social media, we have recently observed attackers abusing social media profiles as a command and control (C2) medium which serves as a method to pass commands between victims and the attacker. While social media as a command and control method itself is not necessarily a new technique, individual implementations may often differ. This recent implementation differs from recently discovered and documented attacks where the Twitter social media platform was used as a delivery platform to send targeted tweets containing malicious links to specific Twitter users.
In the following example, the attackers were attempting to operate stealthily, passing undetected commands through a legitimate user profiles hosted on a trusted social media site to customized malware that resided within compromised enterprises. Cyber Squared assess that as the common adoption of social networking platforms increase in both our personal and professional lives, sophisticated threats will continue to seek ways to leverage commonly trusted social media platforms to conduct reconnaissance, deliver malicious content, broker connections, and manage C2.
Defining Service Profile Infrastructure:
Traditionally, sophisticated cyber threats have used various types of infrastructure, such as IP addresses or dynamic domains, as the primary means to facilitate C2 with their victims. However, because netdefense personnel are able to identify the malicious infrastructure through various malware analysis techniques, the attacker infrastructure is easily blocked or mitigated by many of today’s security solutions. As a result, attackers are shifting to new mediums to facilitate C2, such as social media and other Cloud based services.
The technique may be seen as somewhat rare because some attackers may not find it a reliable method of C2. The benefit of leveraging a popular social network as C2 also comes at a cost to the attacker, if discovered, the C2 is easily shut down by the provider due to the attackers dependence on specific accounts or protocols within the social network. However, social media enabled C2 may go undetected because of limited awareness of the technique in most enterprises. Also, attackers will often attempt to minimize the volume of their activity to keep their number of targets low and not raise suspicions within the providers security department.
As part of an increasing trend, sophisticated threats have responded by pushing critical stages of their attacks into the Cloud. They do so by manipulating popular third party services through legitimate user profiles, in an effort to implement and masquerade custom C2 functions or protocols within a trusted service provider’s infrastructure. We classify this extension of attacker infrastructure as “Service Profile Infrastructure” (SPI).
In the incident described below, the intent of the attacker, in implementing SPI techniques, is to pass undetected commands through a legitimate user profile hosted on a trusted service provider to customized malware that resides within a compromised enterprise. This technique usually consists of activity that exists within later stages of the Kill Chain, specifically within the “C2” and “Actions on the Objective” phases. However, this may not always be the case. For example, in the “APT #TargetedAttacks within @SocialMedia” blog, we highlighted SPI techniques that were used within the earlier “Delivery” and “Exploitation” Kill Chain stages.
It is important to highlight that attackers have been observed implementing this technique intermittently for several years, but the activity rarely meets the security industry’s threshold for reporting due to the apparent low volume of activity. Unfortunately, many enterprises remain unaware of the technique because of the limited reporting detailing it. Service Providers, Security Professionals and End Users alike should be aware of the techniques that sophisticated threats are employing and aim to understand the associated risks and attack surface areas that many trusted third party service providers could unknowingly introduce into today’s enterprise networks.
Operational Caveat: Cyber Squared has notified the affected social media and web content platforms to share details of this threat, providing the affected organizations ample time to investigate and mitigate any identified threats. It is important to highlight that no vulnerability or exploit was leveraged with any of the social media or web content platforms, rather the service provider’s profiles were simply abused by the adversary in implementing a custom C2 protocol. In this example, the social media and web content platform services were likely chosen by the attacker for a “mid-point” redirection capabilities, in an effort to “hide within the noise” and take advantage of the implicit trust relationships that many victim enterprises have with these well-known sites.
Due to the operational sensitivities, and at the request of an effected entity, we are electing to only provide full disclosure of attacker techniques, threat indicators (File Hashes, IP’s, Domains etc), and context of the events identified to the trusted and vetted Organization members of the ThreatConnect.com community. The following public blog posting only contains contextually redacted areas and a general overview. For more information regarding this threat activity and technique, please register at ThreatConnect.com.
In late March 2013, Cyber Squared identified two malicious files. Both malware samples were specifically engineered to request a shortened URL of a certain attacker controlled social networking profile. Follow on analysis would later identify a second attacker controlled social networking profile publicly available on the same social networking service, however, no corresponding malware sample would be identified for the second social networking profile.
Both social networking profiles were configured to be public and contained similar encoded strings. Once decoded, the strings were identified as secondary download URLs that the malware was engineered to interact with, likely downloading and executing secondary files.
Upon notification, these profiles were promptly removed by the service providers, thus disabling the ability for the attackers to interact with any victim hosts who were infected with the associated malware.
The identified malicious binary masqueraded as a patch for Safeguard 360, a Chinese network security application. Static analysis of the malware indicated that the authors implemented heavy anti-debugging techniques to slow and frustrate analysis efforts. The functionality of the binary seemed to be consistent with a family of malware that seeks to obtain individual user credentials for several popular online gaming websites.
This version of the implant was configured to harvest credentials from multiple Korean gaming websites as well as live.com and facebook.com. It was engineered to inject itself into various non-gaming related system processes, such as explorer.exe, Yahoo and MSN messengers. The implant also has the ability to download and execute secondary binaries of the attacker’s choosing by decoding the encrypted URL strings, such as those found on the social media service profiles. It is possible that the attackers may have also implemented redundant means of C2 of their victims by deploying an unidentified, secondary backdoor or remote access trojan (RAT) prior to any mitigation efforts being employed.
All of the decoded URLs contained domains that were registered in China. The identified infrastructure has maintained a consistent Chinese nexus, in that it was registered in either Beijing or Zhaotong, China. However, at this time, we cannot conclusively determine that this specific activity is indeed affiliated with Chinese threat actors.
The Korean Connection:
We also noted that the identified files had been submitted to ThreatExpert on March 21st, which, depending on the time zone, either coincided with or immediately followed mass targeted denial-of-service (DoS) and disk wiping attacks on South Korean banking and media networks. We later found that one of the identified malware binaries (observed March 20), was also mentioned in a Palo Alto Networks’ Japanese language report that listed numerous malware samples collected in and around the time of the South Korean media and financial industry DoS attacks. According to machine translation, the Palo Alto Network report specifically references the South Korean attacks and includes references to the same MD5 that was detected on or about March 20th.
Unfortunately, there is a key intelligence gap surrounding additional details and context of Palo Alto Network’s assessment. This keeps us from confidently confirming that the sample was indeed associated with the March 20 disk wiping attacks against the South Korean media and finance industry. It is possible that the sample was either erroneously included as part of a larger corpus of associated binaries or that it may have been used as a component within the attacks.
On April 10 2013, during yet another time of heightened tensions between the two Koreas, we discovered a new variant of this malware, in the wild. The malware was hosted at hxxp://142.54.188[.]216, which was observed running a Chinese language Microsoft IIS server. During runtime analysis of the malware, we noted a connection to the original social networking profile, followed by a request for a second stage at hxxp://xa.3pronxg[.]com/xaa/xa.jpg. At the time of analysis, the “xa.jpg” file returned a “404 Not Found” from the server. Unfortunately, due to the absence of this file, we were unable to determine the follow-on behavior or purpose of the second stage file.
Other Service Profile Infrastructure:
In addition to the operational social networking profiles that were identified and associated with the malware samples, we subsequently discovered secondary sites that may have been used for pre-operational testing, as no corresponding malware samples were identified. The SourceForge profiles “dsfsewr23” and “js3pup1” were both identified as containing the malicious encoded strings.
These profiles implemented the same encoding algorithm as the social networking profiles. It is possible that the SourceForge accounts were being used as an active C2 in a similar manner or that the attackers used false SourceForge profiles for testing in late February 2013. The “js3pup1” profile also closely resembles the naming convention within the identified js3p[.]com/up subdirectories.
The same encoded string identified within the “dsfsewr231” SourceForge profile was also identified as hosted on a Sina Chinese language blog profile, located at hxxp://blog.sina.com[.]cn/u/3202921042. This profile redirected victims to “mgjs13.host225.idc-icp[.]com/asp2013”.
Finally, more encoded strings were also found posted on March 6 within a default WordPress blog:
Cyber Squared strongly recommends that organizations routinely conduct deep network traffic inspection to identify similar SPI techniques. If you are the victim of targeted attacks that have implemented SPI techniques and would like to obtain regular updates and threat intelligence regarding sophisticated threats, please register at ThreatConnect.com.