I've recently come across an APT named Dimnie by Palo Alto's Unit42 (full report here). The purpose of Dimnie is to exfiltrate sensitive data to the attacker. The peculiarity about Dimnie is that it does so with a peculiar trick. Dimnie changes the HTTP Host header to point to a well-known trusted domain while it actualy sends the request to an attacker-controlled server. This can be done as the HTTP Host header is not actually used for routing, but rather for virtual hosting purposes, as the docs say. This makes the HTTP request look like it's headed to a trusted domain while in fact is headed to a malicious one.

For demonstration purposes we can craft this very simple Python script:

import requests

requests.get('http://fernandodominguez.me', headers={'Host': 'google.com'})

As a result, you obtain the following network traffic.

An HTTP request that looks like it's going to Google.

It even tricks Cuckoo ;)