Security researchers from Norman, they have intercepted a copy of the Sogu (alias Thoper, TVT, Destory Rat etc) RAT (remote access tool), that's abusing legitimate Web services as command and control servers, such as MSDN, Baidu, LinkedIn and Twitter.
Based on their research, the concluded that the C&C infrastructure is currently in experimental mode, as it doesn't resolve to anything malicious, and doesn't contain a valid dropzone at all:
The content of the code is not very dramatic, though. It decodes to a string “127.0.0.1:80? in most cases, except for the Baidu string which decodes to “127.0.0.1:12345?. This would seem to indicate that for this sample there is no active Command & Control connection at this time. Or that there is no need for one. However, this could change at any time.
This isn't the first time that cybercriminals attempt to rely on legitimate services for their command and control hosting needs, and definitely not the last.
In the past, popular social networks, and services such as Facebook, Twitter, Google Groups, Amazon's EC2, Blogspot, Baidu Blogs, have all been abused for command and control hosting purposes in an attempt to trick Web reputation filters into thinking that the malware-infected hosts are communicating with legitimate infrastructure.
What do you think? Is the use of legitimate infrastructure for command and control purposes a long term trend, or a temporary fad, with cybercriminals basically experimenting with the feature?