While keen to point out that Microsoft's TechNet portal security was "in no way compromised" by the tactic, researchers with security outfit FireEye discovered that a well established China-based hacking campaign called Deputy Dog had managed to create profiles and posts on TechNet that contained embedded Command and Control codes for use with a BlackCoffee malware variant.
This method of hiding in plain sight is nothing new, but it can make detection problematical as the data (especially within a technical forum such as TechNet) is simply 'lost' in a sea of similar code from genuine users of a well respected and therefore assumed to be safe site.
The technique may, however, have backfired having been detected. The FireEye researchers have been working with the Microsoft Threat Intelligence Center to inject their own data onto some of those TechNet pages and use this to gain insight into how the malware, and the people behind it, operate. Ultimately, this will make both identification of infected forum systems and the cleansing thereof much easier.
Tim Erlin, Director of Product Management at Tripwire, warns that while using a legitimate website to distribute malicious data is nothing new "the addition of obfuscation here is a twist that makes detection just that much harder" and points out that "any website that allows for public comments to be submitted is already monitoring for abuse, but they can only detect what they’re actually looking for. Now that this technique has been surfaced, website administrators will adapt to identify it, and the criminals will have to shift again to avoid detection."