Cybercriminals increasingly manipulate reputable platforms such as Google Drive, OneDrive, Notion, and GitHub to camouflage their malicious activities within regular web traffic. This tactic not only boosts their data theft capabilities but also undermines conventional security measures.
The trend of exploiting these trusted platforms (or we also call them LIS – Legitimate Internet Services) is on the rise, with elite cyber threat groups leading the way and smaller groups quickly adopting similar strategies. This shift emphasizes the importance of a continually adapting defense strategy that keeps pace with these evolving threats.
In 2023, it’s not rare for malware and cybercriminals to exploit legitimate online platforms like Telegram, GitHub, or OneDrive for their command and control infrastructure. This strategy not only counters the consistent shutdown of their domains and servers but also helps them blend into regular traffic. This means that security teams now have to monitor not just for malicious activities but also the potential misuse of legitimate platforms.
Benefits for Cybercriminals
Using these platforms offers several advantages to cybercriminals:
- Simplified server setup processes.
- Cost savings on hosting and registration.
- Enhanced operational security.
- High uptime and reliability.
- Easy registration processes with limited detection possibilities.
However, these benefits pose challenges for security teams:
- Difficulty in blocking communications due to widespread legitimate use.
- Challenges in detecting encrypted communications.
- The risk of false positives when blocking widely used services.
- Tracking and attributing threat activities becomes more complex.
Analysis of LIS Infrastructure Tactics
Attackers have developed various methods to exploit LIS, which can be broadly categorized into four primary strategies. These strategies, while distinct, can sometimes overlap in their functionalities and can be combined in different ways.
1. Comprehensive C2 Communication
In this method, there isn’t direct communication between the attacker and the malware. Instead, they utilize an intermediary, often termed as an “abstraction layer.” Platforms like GitHub or Mastodon often serve this purpose. Essentially, any service with an open API that allows data to be read and written programmatically can act as this intermediary.
2. Dead Drop Strategy
This strategy, often abbreviated as DDR, involves malware programmed to fetch its actual C2 server details from an online service. The term “dead drop” is borrowed from espionage practices where an agent discreetly leaves information at a hidden spot. While sometimes the details of the C2 servers (like IP addresses or domains) are openly available (for instance, Vidar C2 details on Mastodon profiles), attackers often use encryption, encoding, or steganography to make detection difficult. Unlike the Comprehensive C2 method, the malware directly communicates with the C2 server once it fetches the necessary details. Platforms that allow data access, like YouTube or Steam Community, are commonly used for this purpose.
3. Payload Distribution
Attackers exploit LIS to distribute malicious payloads. Given that these services are platforms where data, including text and binaries, can be shared and stored, they become prime targets due to their widespread use and easy access. Any platform that permits data access can be used for this purpose. For instance, Pastebin might be used to fetch encoded data, Google Drive to store encrypted payloads, or Discord to distribute certain malware like the WhisperGate wiper.
4. Data Exfiltration
LIS can also be used to siphon off data. Any service that allows data to be written or sent can be exploited for this. This includes platforms with open APIs, like the method where Snake Keylogger uses the Telegram Bot API or email services, as seen when Darkstealer sends data via SMTP. Notably, even if the malware doesn’t exploit them directly, ransomware campaigns might use legitimate cloud storage platforms, such as mega.io or MegaSync, to exfiltrate data.
Infostealers Lead in Exploiting LIS Among Malware Types
Based on the data spanning from 2021 to 2022, it’s evident that a significant portion of malware families utilize LIS as a part of their infrastructure. Among the various malware categories, infostealers are notably more prevalent in abusing LIS. On the other hand, categories like mobile malware, RATs/backdoors, and loaders/droppers are less likely to exploit LIS.
Several factors might explain why infostealers are more prone to misuse legitimate services compared to other malware types. Primarily, infostealers play a pivotal role in the ever-evolving landscape of cybercrime, often being at the forefront of innovative tactics. Their main goal is data exfiltration, contrasting with functionalities like remote access trojans (RATs). This means infostealers typically have simpler infrastructure needs, which can be met by tapping into publicly available APIs. Additionally, many infostealers are marketed on underground and dark web platforms to individuals who might not be technically adept, emphasizing the importance of an easy-to-set-up infrastructure.
Several malware families that exploit legitimate services tend to misuse multiple LIS for various purposes. For instance, MoqHao has been spotted sourcing C2 details via DDR from user profiles on platforms like Imgur, Baidu, VKontakte (VK), Rotten Tomatoes, Live Journal, and Pinterest. In a similar vein, Vidar has been linked to platforms like TikTok, Mastodon, Telegram, Tumblr, and Steam Community for DDR purposes. PrivateLoader, on the other hand, has been seen using Pastebin for DDR and, subsequently, Discord or VK for the final stages of payload distribution.
Cloud Storage Platforms Lead in LIS Misuse, with Pastebin Dominating
Among the various LIS categories, cloud storage platforms like Google Drive are the primary targets for misuse, with 43 malware families exploiting these platforms, according to our data. They are followed by messaging apps, which are exploited by 30 malware families, then email services (14) and social media platforms (13). The vast array of services offered by cloud storage providers, their seamless integration into corporate settings for genuine use, and the simplicity of their deployment are likely the main reasons for their widespread misuse.
Digging deeper into the cloud storage category, Pastebin is the most exploited service. Notably, half of these instances are linked to RATs and backdoors. In most scenarios, Pastebin is utilized for DDR or delivering payloads. While paste[.]ee offers services akin to Pastebin, it’s been flagged in considerably fewer instances. Trailing Pastebin are Google Drive and Dropbox. Google Drive has been identified in scenarios like full C2 operations (e.g., with GIMMICK) and payload deliveries (like with GuLoader). In contrast, Dropbox is primarily used for data exfiltration, as seen with the DropBook backdoor by Molerats. Still, it’s also employed for C2 communications and payload deliveries, as evidenced by NOBELIUM/BlueBravo’s activities.
Telegram Tops the List of Misused Messaging Apps
Upon closely examining the messaging applications, which rank as the second most frequently exploited LIS category, it’s clear that Telegram leads the pack. Discord comes next. Both these platforms are free, popular among potential victims and the cybercrime community, challenging to restrict, and their APIs are notably user-friendly. Firebase Cloud Messaging stands out with limited misuse instances, like Donot’s Firestarter. According to our data, Slack is primarily exploited by tools developed by security experts, such as Slackor. However, other studies indicate that APT groups, including APT29, have misused Slack.
Notably, a significant proportion of cases involving Telegram and Discord are linked to infostealers. There are few instances where non-infostealers exploit Telegram or Discord for malicious intent. For example, PrivateLoader utilized Discord for final payload delivery until mid-2022, and Discord’s previously mentioned misuse in the WhisperGate attacks targeting Ukraine. The reason why other malware types don’t exploit Telegram and Discord as much remains uncertain. However, it’s believed that these platforms particularly suit infostealers due to their straightforward data exfiltration features.