• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Victim Machine has joined #general: Using Third-Party APIs as C&C Infrastructure

Victim Machine has joined #general: Using Third-Party APIs as C&C Infrastructure

  • Posted on:June 6, 2017 at 5:05 am
  • Posted in:Exploits, Vulnerabilities
  • Author:
    Stephen Hilt and Lord Alfred Remorin (Senior Threat Researchers)
0

Imagine a well-experienced security analyst at a major company going through his normal routine of checking logs at the end of the workday. A quick look at the company’s security solution logs reveal nothing too peculiar or alarming — except for one thing: a higher than normal amount of traffic to the office’s newly introduced third-party chat platform.

He doesn’t give this much thought. After all, the company’s been pushing to have the chat platform as the main office communication tool, so it makes sense that there’d be more traffic than usual.  The security analyst calls it a day and goes home.

One the way home, however, he gets an alert: The security scanner has detected a potential security issue. He returns to the office, and finds what appears to be the cause: A machine was flagged downloading known malicious files, which were then caught by the company’s security solution. Again, nothing too strange, but he decides to investigate just what triggered the malicious behavior.

His investigation yields something interesting in the traffic logs: a steady stream of network traffic from the machine to the chat platform, during a time when no one was using the system itself. In fact, there is no history of this chat platform being visited in the unit’s browser history, or of the user logging onto the chat platform. Not only that, the system has been sending and receiving about an entire gigabyte’s worth of data to and from the chat platform.

After further analysis the security analyst finally identifies the culprit: a Word file with a malicious macro embedded in it, a macro that turns out to be executing code that uses the company’s chat platform as a command-and-control infrastructure. If it wasn’t for the attacker pushing his luck and forcing a malware download, this infiltration could have gone undetected in the office network for a long time.

An Unexpected Vulnerability Amid Convenience

Companies and groups have long been involved in a shift from typical communication methods (such as email and IRC) to modern chat platforms like Slack, Discord, and Telegram. Not only are these newer applications easy on the overhead, but they also allow integration of customized apps and scripts through their APIs — a feature that can boost employee efficiency and streamline workflows.

Unfortunately, attackers have also begun to abuse these platforms as command-and-control infrastructures, by exploiting the very trait that makes the platforms attractive to use.


Figure 1. A typical command-and-control server flowchart

This is not a mere worst-case scenario — this has been seen to actually take place in the wild, mostly with ransomware variants. The functionality meant to bring in collaboration and integration to enterprise applications — their customizable API — can be and has been abused by attackers. One variant in particular that has been spotted to do exactly this is TeleCrypt, which uses Telegram to communicate to its author that it has successfully infiltrated (and infected) a new system, as well as relaying other information necessary for payment and decryption.

What makes this particular revelation about chat platforms a serious security issue that must be considered is that there is currently no way to secure the usage of such chat platforms without killing their functionality. There is also no way to distinguish between a malicious connection to these platforms and a legitimate one.

Unexpected, but Not Unsolvable

Is it a hopeless cause, however? Not entirely. Safe usage practices can still offer at least a modicum of protection against any threat that may come through these applications, and the potential abuse that their functionality presents does not in any way undermine their usefulness as communication and organization tools for businesses.

A security solution protecting networks and endpoints is also crucial to preventing any malware from infecting systems inside the network.

The entire technical details of this research and its results can be found in our latest research paper, “How Cybercriminals Abuse Chat Program APIs as Command-and-Control Infrastructure.” In it you will find an in-depth analysis of the three most popular third-party chat platforms that are in part also used for corporate communications, along with actual case studies with malware we have found to be already abusing chat platform APIs, proving that the above scenario is in fact not only possible, but also inevitable.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: APIChat Program APIDiscordSlackTelegram

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.