By Antone Gonsalves, CSO | August 7th, 2014
A group of innovative hackers used free services from Google and an Internet infrastructure company to disguise data stolen from corporate and government computers, a security firm reported.
FireEye discovered the campaign, dubbed Poisoned Hurricane, in March while analyzing traffic originating from systems infected with a remote access tool (RAT) the firm called Kaba, a variant of the better known PlugX.
The compromised computers were discovered in multiple U.S. and Asian Internet infrastructure service providers, a financial institution and an Asian government organization. FireEye did not disclose the name of the victims.
The unidentified hackers had used spear-phishing attacks to compromise the systems and then used the malware to steal sensitive information and send it to remote servers, FireEye said.
What was unique about the attackers was how they disguised traffic between the malware and command-and-control servers using Google Developers and the public Domain Name System (DNS) service of Fremont, Calif.-based, Hurricane Electric.
In both cases, the services were used as a kind of switching station to redirect traffic that appeared to be headed toward legitimate domains, such as adobe.com, update.adobe.com and outlook.com.
“It was a novel technique to hide their traffic,” Ned Moran, senior threat intelligence researcher for FireEye, said Thursday.
The attackers’ tactics were clever enough to trick a network administrator into believing the traffic was headed to a legitimate site, Moran said.
The malware disguised its traffic by including forged HTTP headers of legitimate domains. FireEye identified 21 legitimate domain names used by the attackers.
In addition, the attackers signed the Kaba malware with a legitimate certificate from a group listed as the “Police Mutual Aid Association” and with an expired certificate from an organization called “MOCOMSYS INC.”
In the case of Google Developers, the attackers used the service to host code that decoded the malware traffic to determine the IP address of the real destination and then redirect the traffic to that location.
Google Developers, formerly called Google Code, is the search engine’s Web site for software development tools, application programming interfaces (APIs) and documentation on working with Google developer products. Developers can also use the site to share code.
With Hurricane Electric, the attacker took advantage of the fact that its domain name servers were configured, so anyone could register for a free account with the company’s hosted DNS service.
The service allowed anyone to register a DNS zone, which is a distinct, contiguous portion of the domain name space in the DNS. The registrant could then create A records for the zone and point them to any IP address.
In addition, Hurricane did not check whether newly created zones were already registered or owned by other parties, FireEye said.