Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/27/2014
06:00 PM
50%
50%

PlugX RAT Armed With 'Time Bomb' Leverages Dropbox In Attack

Attackers used Dropbox to update command and control settings, according to Trend Micro. The malware included a trigger date of May 5 to begin running.

Researchers at Trend Micro say they have uncovered a scheme to use Dropbox to distribute command and control (C&C) updates as part of a targeted attack.

The situation was uncovered in an analysis of an attack against a Taiwanese government agency. According to Trend Micro, the malware downloads its C&C settings from Dropbox as part of an effort to mask malicious traffic by using a legitimate website. The firm found no vulnerability in Dropbox, and it informed Dropbox of the situation before mentioning it publicly.

The attackers are using variants of the PlugX remote administration tool (RAT). In a blog post, Trend Micro threat analyst Maersk Menrige explains that, when malware detected by Trend Micro as BKDR_PLUGX.ZTBF-A is executed, it performs a number of commands from a remote user, such as keystroke logging and remote shell. Typically, remote shell allows attackers to run any command on the infect4ed system to compromise its security, the researcher wrote.

    This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents. We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won't immediately suspect any malicious activities on their systems.
    Accordingly, this is a type II PlugX variant, one with new features and modifications from its version 1. One change is the use of "XV" header as opposed to MZ/PE header it previously had. This may be an anti-forensic technique used since it initially loads "XV" header and the binary won't run unless XV are replaced by MZ/PE. Furthermore, it also has an authentication code from the attacker, which, in this case, is 20140513. However, one common feature of PlugX is the preloading technique wherein normal applications load malicious DLL. This malicious DLL then loads the encrypted component that contains the main routines. Furthermore, it abuses certain AV products.

Once the command and control communications are established, the threat actors move laterally into the network using a mix of malicious and legitimate tools to avoid being detected. These tools include password recovery tools, port scanners, and the HTran tool, which hides the attacker's source IP by bouncing TCP traffic through several connections. The password recovery tools are used to extract stored passwords in apps and the operating system found in registry and local drives, Menrige wrote.

"This is the first time we've seen this, but criminals are smart and copy proven tactics," Christopher Budd, global threat communications manager at Trend Micro, told us. "Just like we've seen malware hosting move into the cloud, we should expect to see more instances of C&C being hosted in the cloud."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/3/2014 | 9:10:34 AM
Re: Safeguarding vs Functionality
Unfortunately it is already happening, cyber criminals are abusing any kind of technology to avoid detection. In the last months malware abused of Tor networks to hide their C&C, now the component that they are trying to hide is the malicious traffic ... 

The real problem is that for small and medium businesses this kind of attacks is very effective with significant losses.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/3/2014 | 8:44:53 AM
Re: Safeguarding vs Functionality
I feel like these types of silent storage would be a great mask for any malicious intent, not only concealing malware to be used elsewhere. Google Drive, Sky Drive, Dropbox, would all become very volatile if an attack had the ability to pervade through other personal storage based on where they are stored on the server. I would not be surprised if we were to see something to this effect soon.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/1/2014 | 3:19:47 AM
Re: Safeguarding vs Functionality
Unfortunately, cyber criminals are targeting file sharing systems and cloud storage to hide component of botnet within their infrastructure, in this way the malicious traffic is hard to be discriminated by the legitimate one.

In the next weeks we have observed many similar attacks which exploited Google Drive system.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/28/2014 | 1:11:37 PM
Safeguarding vs Functionality
Dropbox is a great method for storing files. Unfortunately, there are those that seek to extort it for malicious means. Many organizations don't allow dropbox, not solely because of issues like this but from an auditing standpoint there is no visibility of files that hit the server. 

I know this was stated as not being a dropbox vulnerability but how is the threat manifesting? Is this threat being manifested through dropbox or is user input needed to contract this RAT in another vector? 
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.