{"682715":{"#nid":"682715","#data":{"type":"news","title":"Hiding in Plain Sight: Disrupting Malware\u2019s Secret Web Dead Drops","body":[{"value":"\u003Cdiv\u003E\u003Cdiv\u003E\u003Cp\u003EImagine a scene from an old spy movie\u2014an agent hides a coded message in a public place, then someone else picks it up later. There is no direct contact, no traceable link\u2014just a clever drop-off.\u003C\/p\u003E\u003Cp\u003ESomething similar plays out online every day, but it\u2019s hackers, not secret agents, doing the drops.\u003C\/p\u003E\u003Cp\u003EWhen a hacker uses malware to infect a device, they won\u2019t send instructions to it directly. Instead, they hide the location of their control servers inside scrambled strings of data. These encoded messages, called dead drops, are quietly stored on trusted web applications like Dropbox or Google Drive. When malware infects a device, it connects to one of these services, decodes the message, and learns where to go next\u2014without ever raising red flags.\u003C\/p\u003E\u003Cp\u003EThis method helps attackers stay under the radar by blending in with everyday web traffic on legitimate online services, but a team of cybersecurity researchers from Georgia Tech\u2019s \u003Ca href=\u0022https:\/\/cyfi.ece.gatech.edu\/\u0022\u003ECyber Forensics Innovation\u003C\/a\u003E (CyFI) Lab have developed a solution to combat this stealthy threat.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003ELed by Georgia Tech Ph.D. student \u003Ca href=\u0022https:\/\/mingxuan.ece.gatech.edu\/\u0022\u003E\u003Cstrong\u003EMingxuan Yao\u0026nbsp;\u003C\/strong\u003E\u003C\/a\u003Eand\u003Cstrong\u003E \u003C\/strong\u003E\u003Ca href=\u0022https:\/\/www.westpoint.edu\/jonathan-fuller\u0022\u003E\u003Cstrong\u003EJonathan Fuller\u003C\/strong\u003E\u003C\/a\u003E from the United States Military Academy, the research team developed a tool to automatically detect and neutralize dead drop resolver (DDR) -enabled malware. Named VADER by the researchers, it analyzes how each malware sample decodes hidden content and extracts the logic\u2014or recipe\u2014it uses to uncover the final command-and-control (C\u0026amp;C) server.\u003C\/p\u003E\u003Cp\u003EYao and Fuller discovered how widespread this problem is when VADER identified nearly 9,000 real-world malware samples using DDR techniques across seven different popular web storage apps.\u003C\/p\u003E\u003Cp\u003E\u201cIt\u2019s crucial for web app providers to act fast by removing these hidden payloads,\u201d said Yao. \u201cBut that\u2019s just the start\u2014new, disguised versions could be hiding anywhere on their platforms.\u201d\u003C\/p\u003E\u003Cp\u003ESince providers have no idea how the content has been manipulated, spotting these hidden threats used to be nearly impossible. In an experiment by the CyFI team, a striking 64.1% of C\u0026amp;C servers shielded by dead drops were still active as of the day the study was conducted.\u003C\/p\u003E\u003Cp\u003EThat\u2019s why the CyFI Lab designed VADER to scale. When tested on 100,000 malware samples, it identified the 8,906 DDR-enabled ones and extracted seven unique decoding methods. Then, using those recipes, the system scanned live web traffic and discovered 72 additional dead drops across 11 different platforms, leading to the identification of 67 new C\u0026amp;C addresses.\u003C\/p\u003E\u003Cp\u003ESo far, VADER\u2019s results have enabled security teams to work with providers to take down 43 of those malicious dead drops\u2014and counting.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003EVADER: Enhanced Web Application Security Through Proactive Dead Drop Resolver Remediation will be presented in the \u003Ca href=\u0022https:\/\/www.sigsac.org\/ccs\/CCS2025\/accepted-papers\/\u0022\u003E32nd ACM Conference on Computer and Communications Security Conference\u003C\/a\u003E in Taipei, Taiwan later this year.\u0026nbsp;\u003C\/p\u003E\u003C\/div\u003E\u003C\/div\u003E","summary":"","format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003EWhen a hacker uses malware to infect a device, they won\u2019t send instructions to it directly. Instead, they hide the location of their control servers inside scrambled strings of data. These encoded messages, called dead drops, are quietly stored on trusted web applications like Dropbox or Google Drive. When malware infects a device, it connects to one of these services, decodes the message, and learns where to go next\u2014without ever raising red flags.\u003C\/p\u003E\u003Cp\u003EThis method helps attackers stay under the radar by blending in with everyday web traffic on legitimate online services, but a team of cybersecurity researchers from Georgia Tech\u2019s \u003Ca href=\u0022https:\/\/cyfi.ece.gatech.edu\/\u0022\u003ECyber Forensics Innovation\u003C\/a\u003E (CyFI) Lab have developed a solution to combat this stealthy threat.\u0026nbsp;\u003C\/p\u003E","format":"limited_html"}],"field_summary_sentence":[{"value":"Hackers are taking a page out of old spy movies to stay under the radar, but Georgia Tech researchers are hot on their trail"}],"uid":"36253","created_gmt":"2025-06-06 14:25:18","changed_gmt":"2025-06-06 14:37:18","author":"John Popham","boilerplate_text":"","field_publication":"","field_article_url":"","location":"Atlanta, GA","dateline":{"date":"2025-06-05T00:00:00-04:00","iso_date":"2025-06-05T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"677199":{"id":"677199","type":"image","title":"CyFI-Lab-sign-webcopy.jpg","body":null,"created":"1749219955","gmt_created":"2025-06-06 14:25:55","changed":"1749219955","gmt_changed":"2025-06-06 14:25:55","alt":"a sign","file":{"fid":"261073","name":"CyFI-Lab-sign-webcopy.jpg","image_path":"\/sites\/default\/files\/2025\/06\/06\/CyFI-Lab-sign-webcopy.jpg","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/2025\/06\/06\/CyFI-Lab-sign-webcopy.jpg","mime":"image\/jpeg","size":1717322,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/2025\/06\/06\/CyFI-Lab-sign-webcopy.jpg?itok=iL0pFEAN"}}},"media_ids":["677199"],"groups":[{"id":"47223","name":"College of Computing"},{"id":"1188","name":"Research Horizons"},{"id":"660367","name":"School of Cybersecurity and Privacy"}],"categories":[{"id":"153","name":"Computer Science\/Information Technology and Security"},{"id":"145","name":"Engineering"},{"id":"135","name":"Research"},{"id":"134","name":"Student and Faculty"},{"id":"8862","name":"Student Research"}],"keywords":[{"id":"174421","name":"graduate student research"},{"id":"182706","name":"phd student research"},{"id":"167441","name":"student research"},{"id":"48951","name":"featured student research"},{"id":"98601","name":"hacking"},{"id":"8859","name":"hack"},{"id":"175042","name":"Spying"},{"id":"10199","name":"Daily Digest"}],"core_research_areas":[{"id":"145171","name":"Cybersecurity"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003EJP Popham, Communications Officer II\u0026nbsp;\u003C\/p\u003E\u003Cp\u003ECollege of Computing | School of Cybersecurity and Privacy\u003C\/p\u003E","format":"limited_html"}],"email":["jpopham3@gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}