“Encoding the IP address makes it harder to recognize the authentic C&C address for network security professionals,” they pointed out.

APT17, also called DeputyDog, has been running for many years now, targeting technology firms, defense contractors, US government things, NGOs and other forms of organizations.

Based on the research workers of FireEye, the group used to disguise as communicating C&C queries to web search engines, and now has to using public sites such as TechNet to host C&C commands info setup and.

The encoded IP address can be found between two labels, “@MICR0S0FT” and “C0RP0RATI0N”, and the code is embedded in profile pages and newsgroup threads.

“After finding the BLACKCOFFEE action, the FireEye-Microsoft team encoded a sinkhole IP address into the profile pages and newsgroup threads and locked the accounts to forbid the risk performers from making any changes. This collaborative strategy enabled the team to discover the malware and its own casualties,” the researchers shared.

“This advice will help them work together with the antivirus community to create signatures to recognize and clean systems impacted by BLACKCOFFEE and alarm other newsgroup and message board supervisors to be on the watch for this particular technique.”

Actually, other groups have been seen utilizing it.

This really is even true for file or file filesharing -sharing services like Google and Dropbox Docs. Using crypto and steganography techniques to be able to hide in plain sight sensitive informations will give for example addresses IP C&C in pictures others opportunities use to to such as Pinterest, or Flickr. Photobucket Identifying and blocking theses C&C routes will be especially challenging for cybersecurity professionals as in most businesses using social media is well created and you CAn’t block them without impeding communicating with your customers and co-workers,” Jeff Audenard, products and services security and risk Intelligence supervisor, Orange – Group Security Directorate, remarked to Help Net Security.

“This is just one more example of how malicious celebrities will look to make use of highly popular websites to either cover their actions, command their botnets, or really to infect unsuspecting visitors to all those sites,” says Brian Honan, CEO at BH Consulting. “Using exceptionally popular sites enables offenders to command their botnets without raising feeling as the associated traffic would seem ordinary to the majority of security tools and professionals. Anyone tasked with managing and ensuring their site, particularly the ones that enable user created content, should take additional attention to make sure it cannot be abused by criminals.”