Attackers exploit Dropbox to target Taiwanese government

Security

by CBR Staff Writer| 04 July 2014

The type II PlugX remote access tool (RAT) variant is the first attack to use Dropbox.

A remote access tool (RAT) is using Dropbox to use the command and control settings in a targeted attack against the Taiwanese government, claims Trend Micro threat analyst Maersk Menrige.

The targeted attacks have earlier used Dropbox to host malware, but this is the first time that Dropbox is being used to update command and control settings.

"The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents," explained Trend Micro threat analyst Maersk Menrige in a blog post.

"We also found out that this malware has a trigger date of May 5, 2014, which means that it started running from that date. This is probably done so that users won't immediately suspect any malicious activities on their systems," Menrige added.

The latest version, spotted by Trend Micro, is a type II PlugX variant as it has new features -- the earlier verison featured MZ/PE header, but the latest one has "XV" header.

This new variant abuses certain AV products and features an anti-forensic technique.

However, it has one common feature of PlugX with regard to the preloading technique - normal applications load malicious DLL, which in turn loads the encrypted component that includes the main routines.

Digging deeper into the attack, the security researchers found that threat actors used malicious as well as legitimate tools to steal data and avoid being detected.

Some of the tools spotted were password recovery tools, remote admin tools, port scanners, network utility tools, and Htran tools, which hides attacker's source IP by bouncing TCP traffic in connections in several nations.

Discovered in 2012, the PlugX RAT could have been used in attack campaigns since 2008, claims Trend Micro.

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

755 people like this.
0 people follow this.

Security Intelligence

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.