APT group`s malware retrieved C&C IP addresses from Microsoft`s TechNet portal

May 14, 2015

Via: malware

A China-based APT group has been using ’s TechNet web portal to host encoded Command and Control IP addresses for its BLACKCOFFEE , FireEye researchers have revealed.

“While other groups have used legitimate websites to host C&C IP addresses, APT17 took the additional step of embedding encoded C&C IP addresses for the BLACKCOFFEE malware in legitimate Microsoft TechNet profile pages and forum threads, a method some in the information community call a ‘dead drop resolver’,” the researchers explained in a report (registration required).

Read More