Cloud
6/27/2014
06:00 PM
Connect Directly
RSS
E-Mail
50%
50%

PlugX RAT Armed With 'Time Bomb' Leverages Dropbox In Attack

Attackers used Dropbox to update command and control settings, according to Trend Micro. The malware included a trigger date of May 5 to begin running.

Researchers at Trend Micro say they have uncovered a scheme to use Dropbox to distribute command and control (C&C) updates as part of a targeted attack.

The situation was uncovered in an analysis of an attack against a Taiwanese government agency. According to Trend Micro, the malware downloads its C&C settings from Dropbox as part of an effort to mask malicious traffic by using a legitimate website. The firm found no vulnerability in Dropbox, and it informed Dropbox of the situation before mentioning it publicly.

The attackers are using variants of the PlugX remote administration tool (RAT). In a blog post, Trend Micro threat analyst Maersk Menrige explains that, when malware detected by Trend Micro as BKDR_PLUGX.ZTBF-A is executed, it performs a number of commands from a remote user, such as keystroke logging and remote shell. Typically, remote shell allows attackers to run any command on the infect4ed system to compromise its security, the researcher wrote.

    This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents. We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won't immediately suspect any malicious activities on their systems.
    Accordingly, this is a type II PlugX variant, one with new features and modifications from its version 1. One change is the use of "XV" header as opposed to MZ/PE header it previously had. This may be an anti-forensic technique used since it initially loads "XV" header and the binary won't run unless XV are replaced by MZ/PE. Furthermore, it also has an authentication code from the attacker, which, in this case, is 20140513. However, one common feature of PlugX is the preloading technique wherein normal applications load malicious DLL. This malicious DLL then loads the encrypted component that contains the main routines. Furthermore, it abuses certain AV products.

Once the command and control communications are established, the threat actors move laterally into the network using a mix of malicious and legitimate tools to avoid being detected. These tools include password recovery tools, port scanners, and the HTran tool, which hides the attacker's source IP by bouncing TCP traffic through several connections. The password recovery tools are used to extract stored passwords in apps and the operating system found in registry and local drives, Menrige wrote.

"This is the first time we've seen this, but criminals are smart and copy proven tactics," Christopher Budd, global threat communications manager at Trend Micro, told us. "Just like we've seen malware hosting move into the cloud, we should expect to see more instances of C&C being hosted in the cloud."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/3/2014 | 9:10:34 AM
Re: Safeguarding vs Functionality
Unfortunately it is already happening, cyber criminals are abusing any kind of technology to avoid detection. In the last months malware abused of Tor networks to hide their C&C, now the component that they are trying to hide is the malicious traffic ... 

The real problem is that for small and medium businesses this kind of attacks is very effective with significant losses.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/3/2014 | 8:44:53 AM
Re: Safeguarding vs Functionality
I feel like these types of silent storage would be a great mask for any malicious intent, not only concealing malware to be used elsewhere. Google Drive, Sky Drive, Dropbox, would all become very volatile if an attack had the ability to pervade through other personal storage based on where they are stored on the server. I would not be surprised if we were to see something to this effect soon.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/1/2014 | 3:19:47 AM
Re: Safeguarding vs Functionality
Unfortunately, cyber criminals are targeting file sharing systems and cloud storage to hide component of botnet within their infrastructure, in this way the malicious traffic is hard to be discriminated by the legitimate one.

In the next weeks we have observed many similar attacks which exploited Google Drive system.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/28/2014 | 1:11:37 PM
Safeguarding vs Functionality
Dropbox is a great method for storing files. Unfortunately, there are those that seek to extort it for malicious means. Many organizations don't allow dropbox, not solely because of issues like this but from an auditing standpoint there is no visibility of files that hit the server. 

I know this was stated as not being a dropbox vulnerability but how is the threat manifesting? Is this threat being manifested through dropbox or is user input needed to contract this RAT in another vector? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5452
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier does not anticipate the possibility of invalid C-CDA documents with crafted XML attributes, which allows remote attackers to conduct XSS attacks via a document containing a table that is improperly handled during unrestricted xsl:copy operations.

CVE-2014-6041
Published: 2014-09-02
The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.