Victim Machine has joined #general: Using Third-Party APIs as C&C Infrastructure

Imagine a well-experienced security analyst at a major company going through his normal routine of checking logs at the end of the workday. A quick look at the company’s security solution logs reveal nothing too peculiar or alarming — except for one thing: a higher than normal amount of traffic to the office’s newly introduced third-party chat platform.

He doesn’t give this much thought. After all, the company’s been pushing to have the chat platform as the main office communication tool, so it makes sense that there’d be more traffic than usual. The security analyst calls it a day and goes home.

One the way home, however, he gets an alert: The security scanner has detected a potential security issue. He returns to the office, and finds what appears to be the cause: A machine was flagged downloading known malicious files, which were then caught by the company’s security solution. Again, nothing too strange, but he decides to investigate just what triggered the malicious behavior.

His investigation yields something interesting in the traffic logs: a steady stream of network traffic from the machine to the chat platform, during a time when no one was using the system itself. In fact, there is no history of this chat platform being visited in the unit’s browser history, or of the user logging onto the chat platform. Not only that, the system has been sending and receiving about an entire gigabyte’s worth of data to and from the chat platform.

After further analysis the security analyst finally identifies the culprit: a Word file with a malicious macro embedded in it, a macro that turns out to be executing code that uses the company’s chat platform as a command-and-control infrastructure. If it wasn’t for the attacker pushing his luck and forcing a malware download, this infiltration could have gone undetected in the office network for a long time.

An Unexpected Vulnerability Amid Convenience

Companies and groups have long been involved in a shift from typical communication methods (such as email and IRC) to modern chat platforms like Slack, Discord, and Telegram. Not only are these newer applications easy on the overhead, but they also allow integration of customized apps and scripts through their APIs — a feature that can boost employee efficiency and streamline workflows.

Unfortunately, attackers have also begun to abuse these platforms as command-and-control infrastructures, by exploiting the very trait that makes the platforms attractive to use.

Figure 1. A typical command-and-control server flowchart

This is not a mere worst-case scenario — this has been seen to actually take place in the wild, mostly with ransomware variants. The functionality meant to bring in collaboration and integration to enterprise applications — their customizable API — can be and has been abused by attackers. One variant in particular that has been spotted to do exactly this is TeleCrypt, which uses Telegram to communicate to its author that it has successfully infiltrated (and infected) a new system, as well as relaying other information necessary for payment and decryption.

What makes this particular revelation about chat platforms a serious security issue that must be considered is that there is currently no way to secure the usage of such chat platforms without killing their functionality. There is also no way to distinguish between a malicious connection to these platforms and a legitimate one.

Unexpected, but Not Unsolvable

Is it a hopeless cause, however? Not entirely. Safe usage practices can still offer at least a modicum of protection against any threat that may come through these applications, and the potential abuse that their functionality presents does not in any way undermine their usefulness as communication and organization tools for businesses.

A security solution protecting networks and endpoints is also crucial to preventing any malware from infecting systems inside the network.

The entire technical details of this research and its results can be found in our latest research paper, “How Cybercriminals Abuse Chat Program APIs as Command-and-Control Infrastructure.” In it you will find an in-depth analysis of the three most popular third-party chat platforms that are in part also used for corporate communications, along with actual case studies with malware we have found to be already abusing chat platform APIs, proving that the above scenario is in fact not only possible, but also inevitable.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Victim Machine has joined #general: Using Third-Party APIs as C&C Infrastructure