Also known as: DeputyDog
First known appearance: 2013
Threat Actors: Communist Party of China, Chinese People’s Liberation Army
Targets: U.S. government entities, the defense industry, law firms, information technology companies, mining companies and non-governmental organizations
Objective: To steal military intelligence.
Overview: Confident in its resources and skills, APT17 demonstrates the increasing use of public websites to hide attacks in plain sight. It loads malicious software directly into a computer’s memory in a way that bypasses the hard drive, making it more difficult for companies to use traditional forensic and scanning techniques to identify compromised computers.
APT17 uses Blackcoffee malware as part of the first stage of its attacks. Blackcoffee functionality includes uploading and downloading files; creating a reverse shell; enumerating files and processes; renaming, moving and deleting files; terminating processes; and expanding its functionality by adding new backdoor commands.
Associated malware: Blackcoffee
Typical attack vectors: APT17 embedded the encoded CnC IP address for the Blackcoffee malware in legitimate Microsoft TechNet profile pages and forum threads. Encoding the IP address made it more difficult to identify the true CnC address. APT17 used Blackcoffee variants to masquerade malicious communication as normal web traffic by disguising the CnC communication as queries to web search engines.