Over the past decade billions of us have taken to using third-party services — which we often get access to for free in exchange for our privacy — to promote ourselves, our businesses or to even launch new businesses.
Cyber criminals never miss an opportunity. So as social networks have improved their encryption to protect users’ personal data, attackers have used the platforms as a means to stay in contact with their malware, F-Secure Labs Researcher Artturi Lehtiö has discovered.
“If I had to put it in a nutshell, I’d say that attackers are using certain third party services to help them fly under the radar of corporate security,” he explained.
Lehtiö is the author of a new white paper on the phenomenon of attackers — including the Russian-backed criminals who authored the family of advanced persistent threats known as The Dukes — abusing third-party web services as command and control channels for malware. (If you’re interested in a top-level introduction to his findings, check out his presentation from VB2015 in Prague.)
So, yes, criminals are using sites like Twitter to tell their malware what data to steal.
Here’s what that looks like on the site:
These aren’t the bad links that lead to infections that used to plague Twitter, they’re something far more devious.
“If OnionDuke is unable to contact the primary C&C server specified in its configuration, it will attempt to search for Tweets from the configured Twitter account, expecting them to contain links to image files embedded with updated versions of itself,” Artturi writes in the white paper.
Artturi explained to me that these images are “valid, functioning image files that just have extra data at the end. That data looks like garbage unless you know to look for it and know how to decrypt it.”
As he explained, the point of the strategy is to fly under the radar.
“It’s highly unlikely for anyone to accidentally come across these things,”Artturi said. “Even if you’re looking for them, they can be hard to find. And, attackers often try to make the tweets look as innocuous as possible, so you might not realize there is something fishy going on even if you saw it.”
This is wily yet public strategy offers certain disadvantages, of course.
“Once attacker-controlled Twitter accounts, Tumblr accounts, or whatever the attackers are using, are identified, defenders and researchers can monitor them just as easily as the malware can.”
And that’s exactly what Artturi has been doing.
To commemorate F-Secure’s 30th year of innovation, we’re profiling 30 of our fellows from our more than…
July 12, 2018