Malware Uses Social Media and Blogging Sites as Part of Its C&C Server

FireEye researchers have analyzed an interesting threat

By on November 14th, 2012 09:56 GMT

Researchers have uncovered some interesting phishing attacks that rely on blogging and social media websites as part of the command and control (C&C) server.

According to FireEye experts, it all starts with an attachment called “AutoCleanTool.rar.” When the file is unzipped and executed, users are presented with a small application window which prompts them to enter their full email address and its associated password.

Once the credentials are handed over, the information is saved into the Windows registry, after which it’s transmitted to the attackers by the malware.

In the meantime, a directory structure is created and a malicious DLL file is dropped in a couple of locations.

Once the DLL (NetCCxx.dll) is loaded, the “fun” begins. At first, the malware checks to see if it can connect to the Internet by using a GET request.

Then, it starts contacting a number of domains, all of which appear to be hosted on Chinese social media and blogging websites such as baidu.com, zuosa.com, people.com.cn, tongxue.com and alibado.com.

From these websites, the malware starts downloading a series of .jpg image files representing Japanese animation characters.

While the pictures look innocent, in reality they contain an “unknown padding,” 471 bytes in size, after the “Endofimage” marker. This “unknown padding” is referenced by the threat in order to update itself.

The process is very interesting. The data it takes from one image becomes part of a new .ini file that contains configuration details. Another part of the retrieved data contains the URL for an additional image file, which in turn contains more configuration information.

This way, the malware can update itself without being noticed by security software. Furthermore, the data from the .jpg file can also be utilized to update the entire framework and even add new components.

“Network communications like this could easily slip under the radar. All the domains and URLs accessed by the malware are legitimate. Though they seem to all be Chinese in origin, there is not really enough for most traditional security defenses to detect outright,” FireEye’s J. Gomez explained.

“IT security personnel should be aware of these types of threats as they can go undetected for extended periods of time until traditional signature-based security solutions receive detection updates (if at all).”

Comments