Criminal hackers have always abused legitimate web services such as Gmail and Facebook to do their bidding, but increasingly they are finding new ways of blending into popular applications to avoid detection and find unsuspecting victims.
An analysis of more than 400 malware families deployed over the past two years found that at least a quarter of them abused legitimate internet services in some way as part of their infrastructure, allowing malicious hackers to more easily blend in with normal traffic and complicating the job of those tasked with defending networks.
That cybercriminals and state-aligned hackers abuse legitimate web services — such as email providers, messaging services, social media platforms, photo sharing sites, and file storage and transfer services — as part of their operational infrastructure has been studied for years.
But in an analysis from Recorded Future’s Insikt Group, shared exclusively with CyberScoop, researchers attempted to categorize what types of malware most frequently abuse such services and how, offering a window into the current state of play based on activity observed in 2021 and 2022 on the Recorded Future Triage sandbox platform, as well as outside sources.
The goal is to help those tasked with defending networks better understand how such services are used and abused within their environments, hopefully helping them take a more refined and proactive approach to detections.
“An effective defense against the increasing abuse of legitimate internet services demands a nuanced approach, grounded in a comprehensive and systematic understanding of which and how these services are abused across diverse malware categories and threat actors,” said Julian-Ferdinand Vögele, a threat intelligence analyst with Recorded Future’s Insikt Group. “Using this knowledge helps in determining which services to flag or block, developing detection strategies, proactively identifying services susceptible to abuse, and employing advanced behavioral detections, all while balancing an organization’s security and operational requirements.”
Cloud storage platforms are the most abused legitimate services, followed by messaging apps, email services and social media. Pastebin, which allows users to post text that can be copied and pasted, led the way, followed by Google Drive and Dropbox.
Telegram is “by far the most common” service abused in such operations, the researchers said, followed by Discord. “Both services are free, widely used in both victim environments and the cybercriminal underground, and thus hard to block, and their APIs are also user-friendly and straightforward to use,” the researchers wrote. Other messaging services are also abused, including Slack, the ubiquitous workplace collaboration platform, which has been used as a command and control platform by hackers linked to the Russian Foreign Intelligence Service, or SVR.
Another recent example of Russian government-linked hackers abusing legitimate services came to light in January, when Recorded Future detailed how a group it tracks as BlueBravo — also known as APT29 or Nobellium — was using productivity and collaboration service Notion as part of its operations.
In that case, the hackers were abusing Notion’s API for command and control communications via malware known as GraphicalNeutrino, which enabled the delivery of additional malware and use of the platform’s database feature to both store victim information and stage payloads for download, according to that analysis.
APT29, which is also linked to the SVR and known as one of Russia’s premiere cyberespionage operators, has previously used project management software Trello in a similar fashion, where malware both allowed for data gathering and exfiltration on specific targets and delivery of other malware to those targets, if necessary. The group has also abused Google Drive and Dropbox forX various operations.
Social media platforms were the fourth-most abused category, according to the analysis, including Instagram, Mastodon, Facebook, Twitter, VKontakte (in Russia) and others.
Steam, for instance, the video game sales and community platform operated by Valve, was earlier this year seen being abused, in conjunction with Telegram, to deploy the Vidar stealer, according to an Emerging Threats writeup. According to Emerging Threats, when notified of the abuse of Steam accounts to distribute malware, the company “concluded that it is important for users to be able to share information via their profile” and the company declined to take actions against the accounts.
The data also reveals that infostealers — designed to efficiently and quietly nab login credentials, financial details or other personal information to allow access to compromised networks or accounts — “stand out,” the researchers said, with 37% of infostealer malware families observed by Recorded Future abusing such services, for a couple of key reasons.
Infostealers are “a key element within the constantly evolving cybercrime ecosystem,” the researchers wrote, and “they often lead the way in terms of innovation.” Infostealers have lower infrastructure requirements as well, and are often sold on cybercrime forums “to operators who may lack technical expertise, making the ease of infrastructure setup an important selling point.”
Comprehensive conclusions are difficult, the researchers said, given the lack of widespread and systematic analysis of how such services are abused and who actually uses them. Even still, “there are strong indicators suggesting that this kind of abuse is increasing,” including the “rapid pace of innovation” among high-level cybercrime and state-aligned hacking groups that includes malware updates to support functionality across services, and the growing array of service platforms abused in this manner.
The researchers added that they “anticipate an increase in sophistication (in infrastructure and methods) and the continuation of [advanced persistent threat] groups leading the way in this domain, thereby causing trickle-down effects to less-sophisticated groups over time.”