Cybercriminals use Twitter, LinkedIn, Baidu, MSDN as command and control infrastructure

Summary:According to security researchers from Norman, they have intercepted a copy of the Sogu malware, that's abusing MSDN, Baidu, LinkedIn and Twitter as C&C servers.

Security researchers from Norman, they have intercepted a copy of the Sogu (alias Thoper, TVT, Destory Rat etc) RAT (remote access tool), that's abusing legitimate Web services as command and control servers, such as MSDN, Baidu, LinkedIn and Twitter.

Based on their research, the concluded that the C&C infrastructure is currently in experimental mode, as it doesn't resolve to anything malicious, and doesn't contain a valid dropzone at all:

The content of the code is not very dramatic, though. It decodes to a string “127.0.0.1:80? in most cases, except for the Baidu string which decodes to “127.0.0.1:12345?. This would seem to indicate that for this sample there is no active Command & Control connection at this time. Or that there is no need for one. However, this could change at any time.

This isn't the first time that cybercriminals attempt to rely on legitimate services for their command and control hosting needs, and definitely not the last.

In the past, popular social networks, and services such as Facebook, Twitter, Google Groups, Amazon's EC2, Blogspot, Baidu Blogs, have all been abused for command and control hosting purposes in an attempt to trick Web reputation filters into thinking that the malware-infected hosts are communicating with legitimate infrastructure.

What do you think? Is the use of legitimate infrastructure for command and control purposes a long term trend, or a temporary fad, with cybercriminals basically experimenting with the feature?

TalkBack.

Topics: Software Development, Microsoft, Social Enterprise

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.