Cybercriminals use Twitter, LinkedIn, Baidu, MSDN as command and control infrastructure

Cybercriminals use Twitter, LinkedIn, Baidu, MSDN as command and control infrastructure

Summary: According to security researchers from Norman, they have intercepted a copy of the Sogu malware, that's abusing MSDN, Baidu, LinkedIn and Twitter as C&C servers.

SHARE:

Security researchers from Norman, they have intercepted a copy of the Sogu (alias Thoper, TVT, Destory Rat etc) RAT (remote access tool), that's abusing legitimate Web services as command and control servers, such as MSDN, Baidu, LinkedIn and Twitter.

Based on their research, the concluded that the C&C infrastructure is currently in experimental mode, as it doesn't resolve to anything malicious, and doesn't contain a valid dropzone at all:

The content of the code is not very dramatic, though. It decodes to a string “127.0.0.1:80? in most cases, except for the Baidu string which decodes to “127.0.0.1:12345?. This would seem to indicate that for this sample there is no active Command & Control connection at this time. Or that there is no need for one. However, this could change at any time.

This isn't the first time that cybercriminals attempt to rely on legitimate services for their command and control hosting needs, and definitely not the last.

In the past, popular social networks, and services such as Facebook, Twitter, Google Groups, Amazon's EC2, Blogspot, Baidu Blogs, have all been abused for command and control hosting purposes in an attempt to trick Web reputation filters into thinking that the malware-infected hosts are communicating with legitimate infrastructure.

What do you think? Is the use of legitimate infrastructure for command and control purposes a long term trend, or a temporary fad, with cybercriminals basically experimenting with the feature?

TalkBack.

Topics: Software Development, Microsoft, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Long-term, definitely

    This is a LONG-TERM tactic; definitely, it is the way to go.

    I mean, if I wanted to set up a C&C, I would leverage (and/or 'mimic') existing so-called 'trustworthy' infrastructure. IF I were to do that sort of thing. So, you have to imagine that the hacksters look at it the same way. Yep, I'm making up a new word: "hacskter" - an individual who mimics and/or utilizes existing trustworthy infrastructure, in order to gain unauthorized and/or elevated access to various computing and network resources.
    bitdoctor