How Cybercriminals Exploit Legitimate Internet Services for Malicious Purposes

Cybercriminals increasingly manipulate reputable platforms such as Google Drive, OneDrive, Notion, and GitHub to camouflage their malicious activities within regular web traffic. This tactic not only boosts their data theft capabilities but also undermines conventional security measures.

The trend of exploiting these trusted platforms (or we also call them LIS – Legitimate Internet Services) is on the rise, with elite cyber threat groups leading the way and smaller groups quickly adopting similar strategies. This shift emphasizes the importance of a continually adapting defense strategy that keeps pace with these evolving threats.

Key Insights

  • Infostealers, which aim to extract data, are the primary culprits, with 37% exploiting these services. Their preference likely stems from their primary goal of data extraction, combined with the ease of setting up these platforms, especially for operators with limited technical skills.
  • Different malware types choose their infrastructure based on their category. For instance, while 72% of infostealers use these platforms for data extraction, 71% of loaders use them for payload delivery.
  • Cloud storage services like Google Drive are the most abused among all the platforms, followed by messaging apps, email services, and social media platforms.
  • Telegram emerges as the top messaging platform exploited by malware, with infostealers being the primary culprits.

In 2023, it’s not rare for malware and cybercriminals to exploit legitimate online platforms like Telegram, GitHub, or OneDrive for their command and control infrastructure. This strategy not only counters the consistent shutdown of their domains and servers but also helps them blend into regular traffic. This means that security teams now have to monitor not just for malicious activities but also the potential misuse of legitimate platforms.

Benefits for Cybercriminals

Using these platforms offers several advantages to cybercriminals:

  • Simplified server setup processes.
  • Cost savings on hosting and registration.
  • Enhanced operational security.
  • High uptime and reliability.
  • Easy registration processes with limited detection possibilities.

However, these benefits pose challenges for security teams:

  • Difficulty in blocking communications due to widespread legitimate use.
  • Challenges in detecting encrypted communications.
  • The risk of false positives when blocking widely used services.
  • Tracking and attributing threat activities becomes more complex.

Analysis of LIS Infrastructure Tactics

Attackers have developed various methods to exploit LIS, which can be broadly categorized into four primary strategies. These strategies, while distinct, can sometimes overlap in their functionalities and can be combined in different ways.

1. Comprehensive C2 Communication

In this method, there isn’t direct communication between the attacker and the malware. Instead, they utilize an intermediary, often termed as an “abstraction layer.” Platforms like GitHub or Mastodon often serve this purpose. Essentially, any service with an open API that allows data to be read and written programmatically can act as this intermediary.

2. Dead Drop Strategy

This strategy, often abbreviated as DDR, involves malware programmed to fetch its actual C2 server details from an online service. The term “dead drop” is borrowed from espionage practices where an agent discreetly leaves information at a hidden spot. While sometimes the details of the C2 servers (like IP addresses or domains) are openly available (for instance, Vidar C2 details on Mastodon profiles), attackers often use encryption, encoding, or steganography to make detection difficult. Unlike the Comprehensive C2 method, the malware directly communicates with the C2 server once it fetches the necessary details. Platforms that allow data access, like YouTube or Steam Community, are commonly used for this purpose.

3. Payload Distribution

Attackers exploit LIS to distribute malicious payloads. Given that these services are platforms where data, including text and binaries, can be shared and stored, they become prime targets due to their widespread use and easy access. Any platform that permits data access can be used for this purpose. For instance, Pastebin might be used to fetch encoded data, Google Drive to store encrypted payloads, or Discord to distribute certain malware like the WhisperGate wiper.

4. Data Exfiltration

LIS can also be used to siphon off data. Any service that allows data to be written or sent can be exploited for this. This includes platforms with open APIs, like the method where Snake Keylogger uses the Telegram Bot API or email services, as seen when Darkstealer sends data via SMTP. Notably, even if the malware doesn’t exploit them directly, ransomware campaigns might use legitimate cloud storage platforms, such as mega.io or MegaSync, to exfiltrate data.

Infostealers Lead in Exploiting LIS Among Malware Types

Based on the data spanning from 2021 to 2022, it’s evident that a significant portion of malware families utilize LIS as a part of their infrastructure. Among the various malware categories, infostealers are notably more prevalent in abusing LIS. On the other hand, categories like mobile malware, RATs/backdoors, and loaders/droppers are less likely to exploit LIS.

Several factors might explain why infostealers are more prone to misuse legitimate services compared to other malware types. Primarily, infostealers play a pivotal role in the ever-evolving landscape of cybercrime, often being at the forefront of innovative tactics. Their main goal is data exfiltration, contrasting with functionalities like remote access trojans (RATs). This means infostealers typically have simpler infrastructure needs, which can be met by tapping into publicly available APIs. Additionally, many infostealers are marketed on underground and dark web platforms to individuals who might not be technically adept, emphasizing the importance of an easy-to-set-up infrastructure.

Several malware families that exploit legitimate services tend to misuse multiple LIS for various purposes. For instance, MoqHao has been spotted sourcing C2 details via DDR from user profiles on platforms like Imgur, Baidu, VKontakte (VK), Rotten Tomatoes, Live Journal, and Pinterest. In a similar vein, Vidar has been linked to platforms like TikTok, Mastodon, Telegram, Tumblr, and Steam Community for DDR purposes. PrivateLoader, on the other hand, has been seen using Pastebin for DDR and, subsequently, Discord or VK for the final stages of payload distribution.

Cloud Storage Platforms Lead in LIS Misuse, with Pastebin Dominating

Among the various LIS categories, cloud storage platforms like Google Drive are the primary targets for misuse, with 43 malware families exploiting these platforms, according to our data. They are followed by messaging apps, which are exploited by 30 malware families, then email services (14) and social media platforms (13). The vast array of services offered by cloud storage providers, their seamless integration into corporate settings for genuine use, and the simplicity of their deployment are likely the main reasons for their widespread misuse.

Digging deeper into the cloud storage category, Pastebin is the most exploited service. Notably, half of these instances are linked to RATs and backdoors. In most scenarios, Pastebin is utilized for DDR or delivering payloads. While paste[.]ee offers services akin to Pastebin, it’s been flagged in considerably fewer instances. Trailing Pastebin are Google Drive and Dropbox. Google Drive has been identified in scenarios like full C2 operations (e.g., with GIMMICK) and payload deliveries (like with GuLoader). In contrast, Dropbox is primarily used for data exfiltration, as seen with the DropBook backdoor by Molerats. Still, it’s also employed for C2 communications and payload deliveries, as evidenced by NOBELIUM/BlueBravo’s activities.

Telegram Tops the List of Misused Messaging Apps

Upon closely examining the messaging applications, which rank as the second most frequently exploited LIS category, it’s clear that Telegram leads the pack. Discord comes next. Both these platforms are free, popular among potential victims and the cybercrime community, challenging to restrict, and their APIs are notably user-friendly. Firebase Cloud Messaging stands out with limited misuse instances, like Donot’s Firestarter. According to our data, Slack is primarily exploited by tools developed by security experts, such as Slackor. However, other studies indicate that APT groups, including APT29, have misused Slack.

Notably, a significant proportion of cases involving Telegram and Discord are linked to infostealers. There are few instances where non-infostealers exploit Telegram or Discord for malicious intent. For example, PrivateLoader utilized Discord for final payload delivery until mid-2022, and Discord’s previously mentioned misuse in the WhisperGate attacks targeting Ukraine. The reason why other malware types don’t exploit Telegram and Discord as much remains uncertain. However, it’s believed that these platforms particularly suit infostealers due to their straightforward data exfiltration features.

Social Media Platforms: A Hotspot for C2 Misuse

Social media platforms rank among the top types of LIS that are vulnerable to exploitation, coming in fourth in terms of frequency. The diversity in this category is evident, with numerous distinct services being observed. Steam Community and YouTube emerge as the most frequently abused platforms. One reason for the prevalent misuse of the Steam Community might be the lenient stance of its parent company, Valve, regarding content removal. As noted by Emerging Threats, when Steam Community was approached about a C2 distribution method linked to Vidar, the platform decided that the value of allowing users to share information via their profiles was more significant than addressing potentially abusive accounts.

Recommendations

In the short term, security teams should monitor or restrict legitimate internet services that aren’t essential for their operations but are known to be exploited for malicious purposes. For a long-term strategy, companies should focus on understanding their employees’ legitimate use of these services and the potential for misuse. This understanding will pave the way for more refined detection systems, enhancing overall organizational security. Additionally, technologies like TLS network interception are becoming more relevant, offering better visibility and introducing new privacy and compliance challenges.

In summary:

  • Evaluate and block non-essential online services.
  • Monitor specific service usage and understand the context.
  • Implement advanced detection mechanisms.
  • Engage in proactive threat hunting.
  • Simulate attacks to assess detection capabilities.
  • Collaborate with online service providers to counter malicious activities.