August 4, 2012
* This report is written by Chris Chu, Lead Plurk Moderator
Plurk, a social networking and micro-blogging service website, has publicized information about a series of attempted attacks on its servers. The engineering team’s preliminary information has revealed that at least four of the IP addresses are from China’s Military and Government units.
With the continuous development of the Internet, attackers have been continuously inventing new attack methods through different platforms and techniques. According to the Dell SecureWorks Counter Threat Unit (CTU) research team, one of the malware is called “Elirks” which uses Plurk’s micro-blogging service to act as a first-stage C2. Hackers set up phony user accounts and use them to post encoded messages containing the real C2 URL. This behavior allows the malware to look innocuous in network traffic because it simply appears to be regular visiting a friendly site. However, when the hackers are ready to exfiltrate data or further penetrate a network, they can redirect the malware to connect to C2 servers where they can interactively log in and control the victim’s computer. For instance, the Elirks backdoor would decode “TWNHQy-ED9Pm-EF75” as “126.96.36.199:80” and would attempt to communicate with that server via HTTP. By searching for the prefix string used by Elirks as well as sandboxing Elirks samples, CTU researchers were able to locate several Plurk accounts being used to feed C2 data to Elirks backdoors.
“Plurk has blocked attackers’ IP addresses from the system. We always have a professional team to observe a variety of network usages and protect users’ personal information, data security and much more!” says Danny Lin, Managing Director of Asia Pacific for Plurk Inc..
For more information about the threat analyses, go to http://www.secureworks.com/research/threats/chasing_apt/ by Dell SecureWorks.