Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/27/2014
06:00 PM
50%
50%

PlugX RAT Armed With 'Time Bomb' Leverages Dropbox In Attack

Attackers used Dropbox to update command and control settings, according to Trend Micro. The malware included a trigger date of May 5 to begin running.

Researchers at Trend Micro say they have uncovered a scheme to use Dropbox to distribute command and control (C&C) updates as part of a targeted attack.

The situation was uncovered in an analysis of an attack against a Taiwanese government agency. According to Trend Micro, the malware downloads its C&C settings from Dropbox as part of an effort to mask malicious traffic by using a legitimate website. The firm found no vulnerability in Dropbox, and it informed Dropbox of the situation before mentioning it publicly.

The attackers are using variants of the PlugX remote administration tool (RAT). In a blog post, Trend Micro threat analyst Maersk Menrige explains that, when malware detected by Trend Micro as BKDR_PLUGX.ZTBF-A is executed, it performs a number of commands from a remote user, such as keystroke logging and remote shell. Typically, remote shell allows attackers to run any command on the infect4ed system to compromise its security, the researcher wrote.

    This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents. We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won't immediately suspect any malicious activities on their systems.
    Accordingly, this is a type II PlugX variant, one with new features and modifications from its version 1. One change is the use of "XV" header as opposed to MZ/PE header it previously had. This may be an anti-forensic technique used since it initially loads "XV" header and the binary won't run unless XV are replaced by MZ/PE. Furthermore, it also has an authentication code from the attacker, which, in this case, is 20140513. However, one common feature of PlugX is the preloading technique wherein normal applications load malicious DLL. This malicious DLL then loads the encrypted component that contains the main routines. Furthermore, it abuses certain AV products.

Once the command and control communications are established, the threat actors move laterally into the network using a mix of malicious and legitimate tools to avoid being detected. These tools include password recovery tools, port scanners, and the HTran tool, which hides the attacker's source IP by bouncing TCP traffic through several connections. The password recovery tools are used to extract stored passwords in apps and the operating system found in registry and local drives, Menrige wrote.

"This is the first time we've seen this, but criminals are smart and copy proven tactics," Christopher Budd, global threat communications manager at Trend Micro, told us. "Just like we've seen malware hosting move into the cloud, we should expect to see more instances of C&C being hosted in the cloud."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/3/2014 | 9:10:34 AM
Re: Safeguarding vs Functionality
Unfortunately it is already happening, cyber criminals are abusing any kind of technology to avoid detection. In the last months malware abused of Tor networks to hide their C&C, now the component that they are trying to hide is the malicious traffic ... 

The real problem is that for small and medium businesses this kind of attacks is very effective with significant losses.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/3/2014 | 8:44:53 AM
Re: Safeguarding vs Functionality
I feel like these types of silent storage would be a great mask for any malicious intent, not only concealing malware to be used elsewhere. Google Drive, Sky Drive, Dropbox, would all become very volatile if an attack had the ability to pervade through other personal storage based on where they are stored on the server. I would not be surprised if we were to see something to this effect soon.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/1/2014 | 3:19:47 AM
Re: Safeguarding vs Functionality
Unfortunately, cyber criminals are targeting file sharing systems and cloud storage to hide component of botnet within their infrastructure, in this way the malicious traffic is hard to be discriminated by the legitimate one.

In the next weeks we have observed many similar attacks which exploited Google Drive system.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/28/2014 | 1:11:37 PM
Safeguarding vs Functionality
Dropbox is a great method for storing files. Unfortunately, there are those that seek to extort it for malicious means. Many organizations don't allow dropbox, not solely because of issues like this but from an auditing standpoint there is no visibility of files that hit the server. 

I know this was stated as not being a dropbox vulnerability but how is the threat manifesting? Is this threat being manifested through dropbox or is user input needed to contract this RAT in another vector? 
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.