Microsoft’s #TechNet Online User Profiles Used To Conceal #Malware

Posted: May 18, 2015 in Tech


In conjunction with the discovery, researchers at RSA Security today released to the public a Python script that decodes the embedded values on a TechNet page and reveals command and control information.

RSA researchers Brian Baskin and Jared Myers said the malware, which they call PNGRAT, was found on two customer networks. They explain that the malware contains a hardcoded URL to the attacker-created TechNet profile page. The malicious code connects to TechNet, decodes the message buried in a string between the characters @MICRO0S0FT and C0RP0RATI0N. Doing so reveals an IP address where further command and control connections await, RSA said.

“It’s not an overly complicated encoding scheme; looking at the malware, it took us about 15 minutes to figure out the encoding,” Myers said. “It uses two characters for every octet of the IP address. It does simple math on each character, adds it up and it ends up resolving the value, which is one octet of the IP address.”

The PNGRAT variant, RSA said, contains a bit of additional functionality, including some features generally confined to crimeware rather than malware used in targeted attacks. The use of TechNet to store command and control information is a time-tested tactic from attackers as they continue to focus on evading detection and keep C&C servers up and running for longer periods of time.

“That’s the problem with this aspect of the attack; TechNet is popular and would not be blocked,” Baskin said. “We’ve seen that same style of attack used before with Gmail and other public websites. Tomorrow, or the week after, or the month after, they could be using this same routine on an Amazon page or any other trusted website out there.”

Full Story @ [threatpost]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s