Cloud
6/27/2014
06:00 PM
50%
50%

PlugX RAT Armed With 'Time Bomb' Leverages Dropbox In Attack

Attackers used Dropbox to update command and control settings, according to Trend Micro. The malware included a trigger date of May 5 to begin running.

Researchers at Trend Micro say they have uncovered a scheme to use Dropbox to distribute command and control (C&C) updates as part of a targeted attack.

The situation was uncovered in an analysis of an attack against a Taiwanese government agency. According to Trend Micro, the malware downloads its C&C settings from Dropbox as part of an effort to mask malicious traffic by using a legitimate website. The firm found no vulnerability in Dropbox, and it informed Dropbox of the situation before mentioning it publicly.

The attackers are using variants of the PlugX remote administration tool (RAT). In a blog post, Trend Micro threat analyst Maersk Menrige explains that, when malware detected by Trend Micro as BKDR_PLUGX.ZTBF-A is executed, it performs a number of commands from a remote user, such as keystroke logging and remote shell. Typically, remote shell allows attackers to run any command on the infect4ed system to compromise its security, the researcher wrote.

    This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents. We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won't immediately suspect any malicious activities on their systems.
    Accordingly, this is a type II PlugX variant, one with new features and modifications from its version 1. One change is the use of "XV" header as opposed to MZ/PE header it previously had. This may be an anti-forensic technique used since it initially loads "XV" header and the binary won't run unless XV are replaced by MZ/PE. Furthermore, it also has an authentication code from the attacker, which, in this case, is 20140513. However, one common feature of PlugX is the preloading technique wherein normal applications load malicious DLL. This malicious DLL then loads the encrypted component that contains the main routines. Furthermore, it abuses certain AV products.

Once the command and control communications are established, the threat actors move laterally into the network using a mix of malicious and legitimate tools to avoid being detected. These tools include password recovery tools, port scanners, and the HTran tool, which hides the attacker's source IP by bouncing TCP traffic through several connections. The password recovery tools are used to extract stored passwords in apps and the operating system found in registry and local drives, Menrige wrote.

"This is the first time we've seen this, but criminals are smart and copy proven tactics," Christopher Budd, global threat communications manager at Trend Micro, told us. "Just like we've seen malware hosting move into the cloud, we should expect to see more instances of C&C being hosted in the cloud."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/3/2014 | 9:10:34 AM
Re: Safeguarding vs Functionality
Unfortunately it is already happening, cyber criminals are abusing any kind of technology to avoid detection. In the last months malware abused of Tor networks to hide their C&C, now the component that they are trying to hide is the malicious traffic ... 

The real problem is that for small and medium businesses this kind of attacks is very effective with significant losses.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/3/2014 | 8:44:53 AM
Re: Safeguarding vs Functionality
I feel like these types of silent storage would be a great mask for any malicious intent, not only concealing malware to be used elsewhere. Google Drive, Sky Drive, Dropbox, would all become very volatile if an attack had the ability to pervade through other personal storage based on where they are stored on the server. I would not be surprised if we were to see something to this effect soon.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/1/2014 | 3:19:47 AM
Re: Safeguarding vs Functionality
Unfortunately, cyber criminals are targeting file sharing systems and cloud storage to hide component of botnet within their infrastructure, in this way the malicious traffic is hard to be discriminated by the legitimate one.

In the next weeks we have observed many similar attacks which exploited Google Drive system.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/28/2014 | 1:11:37 PM
Safeguarding vs Functionality
Dropbox is a great method for storing files. Unfortunately, there are those that seek to extort it for malicious means. Many organizations don't allow dropbox, not solely because of issues like this but from an auditing standpoint there is no visibility of files that hit the server. 

I know this was stated as not being a dropbox vulnerability but how is the threat manifesting? Is this threat being manifested through dropbox or is user input needed to contract this RAT in another vector? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7241
Published: 2014-12-19
The TSUTAYA application 5.3 and earlier for Android allows remote attackers to execute arbitrary Java methods via a crafted HTML document.

CVE-2014-7249
Published: 2014-12-19
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 992...

CVE-2014-7267
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the output-page generator in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7268.

CVE-2014-7268
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the data-export feature in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7267.

CVE-2014-8272
Published: 2014-12-19
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.