Attackers hid malicious commands on IT trade forum.
Microsoft TechNet, a website for the IT trade, is under attack from an advanced Chinese hacking gang trying a novel method of hosting its command and control (C&C) server, according to the security vendor FireEye.
The hackers, dubbed APT17, were found using TechNet forum threads and profile pages to host encoded C&C traffic directing the backdoor malware BlackCoffee to their server, in an attack that could be replicated across other forums even on otherwise secure sites.
Laura Galante, manager of threat intelligence at FireEye, said: "This latest tactic by APT17 of using websites’ legitimate functionalities to conduct their communications shows just how difficult it is for organisations to detect and prevent advanced threats.
"Given its effectiveness, we anticipate that this encoding and obfuscation will become a truly pervasive tactic adopted by threat actors around the world."
APT17 has in the past targeted US government bodies, nongovernmental organisations and private companies in law, IT a mining throughout the world.
Though the tactic of hiding their activities on forums is relatively modern, the group has in the past been spotted using search engines such as Google and Bing to disguise their attacks.
To combat the problem on TechNet, Microsoft and FireEye replaced the encoded domains with ones that they could control.
"By working closely with companies like Microsoft and targeted organizations to develop threat intelligence, we can assist security professionals and disrupt these activities," Galante said.
BlackCoffee is capable of uploading and downloading files, and can create a reverse shell that communicates back to the machine that is attacking it.