A China-based APT group has been using #microsoft’s TechNet web portal to host encoded Command and Control IP addresses for its BLACKCOFFEE #malware, FireEye researchers have revealed.
“While other groups have used legitimate websites to host C&C IP addresses, APT17 took the additional step of embedding encoded C&C IP addresses for the BLACKCOFFEE malware in legitimate Microsoft TechNet profile pages and forum threads, a method some in the information #security community call a ‘dead drop resolver’,” the researchers explained in a report (registration required).
Leave a reply