Cloud
6/27/2014
06:00 PM
Connect Directly
RSS
E-Mail
50%
50%

PlugX RAT Armed With 'Time Bomb' Leverages Dropbox In Attack

Attackers used Dropbox to update command and control settings, according to Trend Micro. The malware included a trigger date of May 5 to begin running.

Researchers at Trend Micro say they have uncovered a scheme to use Dropbox to distribute command and control (C&C) updates as part of a targeted attack.

The situation was uncovered in an analysis of an attack against a Taiwanese government agency. According to Trend Micro, the malware downloads its C&C settings from Dropbox as part of an effort to mask malicious traffic by using a legitimate website. The firm found no vulnerability in Dropbox, and it informed Dropbox of the situation before mentioning it publicly.

The attackers are using variants of the PlugX remote administration tool (RAT). In a blog post, Trend Micro threat analyst Maersk Menrige explains that, when malware detected by Trend Micro as BKDR_PLUGX.ZTBF-A is executed, it performs a number of commands from a remote user, such as keystroke logging and remote shell. Typically, remote shell allows attackers to run any command on the infect4ed system to compromise its security, the researcher wrote.

    This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents. We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won't immediately suspect any malicious activities on their systems.
    Accordingly, this is a type II PlugX variant, one with new features and modifications from its version 1. One change is the use of "XV" header as opposed to MZ/PE header it previously had. This may be an anti-forensic technique used since it initially loads "XV" header and the binary won't run unless XV are replaced by MZ/PE. Furthermore, it also has an authentication code from the attacker, which, in this case, is 20140513. However, one common feature of PlugX is the preloading technique wherein normal applications load malicious DLL. This malicious DLL then loads the encrypted component that contains the main routines. Furthermore, it abuses certain AV products.

Once the command and control communications are established, the threat actors move laterally into the network using a mix of malicious and legitimate tools to avoid being detected. These tools include password recovery tools, port scanners, and the HTran tool, which hides the attacker's source IP by bouncing TCP traffic through several connections. The password recovery tools are used to extract stored passwords in apps and the operating system found in registry and local drives, Menrige wrote.

"This is the first time we've seen this, but criminals are smart and copy proven tactics," Christopher Budd, global threat communications manager at Trend Micro, told us. "Just like we've seen malware hosting move into the cloud, we should expect to see more instances of C&C being hosted in the cloud."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/3/2014 | 9:10:34 AM
Re: Safeguarding vs Functionality
Unfortunately it is already happening, cyber criminals are abusing any kind of technology to avoid detection. In the last months malware abused of Tor networks to hide their C&C, now the component that they are trying to hide is the malicious traffic ... 

The real problem is that for small and medium businesses this kind of attacks is very effective with significant losses.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/3/2014 | 8:44:53 AM
Re: Safeguarding vs Functionality
I feel like these types of silent storage would be a great mask for any malicious intent, not only concealing malware to be used elsewhere. Google Drive, Sky Drive, Dropbox, would all become very volatile if an attack had the ability to pervade through other personal storage based on where they are stored on the server. I would not be surprised if we were to see something to this effect soon.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/1/2014 | 3:19:47 AM
Re: Safeguarding vs Functionality
Unfortunately, cyber criminals are targeting file sharing systems and cloud storage to hide component of botnet within their infrastructure, in this way the malicious traffic is hard to be discriminated by the legitimate one.

In the next weeks we have observed many similar attacks which exploited Google Drive system.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/28/2014 | 1:11:37 PM
Safeguarding vs Functionality
Dropbox is a great method for storing files. Unfortunately, there are those that seek to extort it for malicious means. Many organizations don't allow dropbox, not solely because of issues like this but from an auditing standpoint there is no visibility of files that hit the server. 

I know this was stated as not being a dropbox vulnerability but how is the threat manifesting? Is this threat being manifested through dropbox or is user input needed to contract this RAT in another vector? 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.