Network security is one of those things in life I find fascinating. It’s a constant battle between good and evil. Just when the good guys think they have things figured out, the bad guys change their techniques. With all of the good that comes from using Cloud based services, there is also the other side of the coin. Cybersquared, a company dedicated to network and cyber security published a report with their findings on how today’s attackers are using what they call, Service Profile Infrastructure to facilitate command and control a.k.a. C2 phases of attack.
In this report, it was highlighted that a Chinese Advanced Persistent Threat group used Dropbox and its file sharing notification feature to email links to targets that contained malicious binaries. This was considered phase 1 of the attack. Phase 2 worked with a WordPress.com hosted blog which acted as the command and control center. Once the malicious binaries were in use, the malware contacted the blog which hosted content that contained the IP address as well as the port number to receive commands from.
Here is a screenshot from the WordPress.com account mentioned in the report.
The site is still online but I don’t know if it’s actively being used in malware attacks. Clearly, the site has been in violation of the WordPress.com TOS for a long time. Specifically this section – the Content does not contain or install any viruses, worms, malware, Trojan horses or other harmful or destructive content; (It’s since been suspended)
Once a victim was successfully targeted with the “Yayih” implant, the malware contacted a WordPress blog. It would then read attacker staged content from within the blog posting to obtain a secondary domain, IP address and port number of a second stage C2 host.
In this example at “gressered.wordpress[.]com”, we found multiple blog posts, all of which had likely served as content for specific targeting campaigns. The same C2 configuration was “hiding in plain sight”. However, it is entirely possible that the attackers could have modified the second stage C2 configuration at any point previously. The earliest post was dated July 31, 2012, suggesting that this specific blog has been in use for nearly a year as a first stage interaction point.
Many of the blog posts that contained the C2 configuration were associated with news articles related to geopolitical events, likely of interest to potential targets.
I can’t emphasize enough that no vulnerabilities in WordPress were used to carry out these attacks. This report shows that cloud services such as Dropbox and websites such as WordPress.com which are usually whitelisted are being used as infrastructure to carry out attacks. I encourage you to read the full report as it breaks down the process step by step.