Categories
Malware

PlugX RAT with Time Bomb abuses Dropbox in targeted attacks

Trend Micro analyzed a targeted attack against a Taiwanese government entity which used a variant of the PlugX RAT that abuses the Dropbox service.

Researchers from Trend Micro discovered that a targeted attack against a government agency in Taiwan was conducted using a variant of the PlugX remote access tool (RAT) which abuses the popular file hosting service Dropbox. Security experts have discovered in the last years, many malware based attacks exploiting the popular PlugX, it is very cheap and friendly for attackers that can arrange easily a malicious campaign making hard the attribution of responsibility because the large diffusion of the malicious agent.

Experts at Trend Micro recently detected a variant of PlugX RAT communicating its command and control (C&C) settings from Dropbox, the trick was adopted by attackers to masquerade the malicious traffic and making hard the detection by law enforcement and security firms.

Monitoring network traffic is one of the most used technique to determine if there is an ongoing targeted attack, security experts are able to identify traffic patterns related principal botnet and RATs (e.g. Gh0st, PoisonIvy, Hupigon and PlugX), communication with command-and-control (C&C) are quite easy to detect with this method.

“Last May we encountered a targeted attack that hit a government agency in Taiwan. In the said attack, threat actors used PlugX RAT that abused Dropbox to download its C&C settings. The Dropbox abuse is no longer new since an attack before employed this platform to host the malware. However, this is the first instance we’ve seen this technique of using Dropbox to update its C&C settings in the cases we analyzed related to targeted attacks.” reports Trend Micro official post.

Dropbox is used by personnel of many organizations and government entities, principal defense systems deployed by their security teams in charge of their protection might not flag communications between the PlugX RAT and DropBox folders as an indicator on compromise.

plugX diagram routines

As explained by experts at Trend Micro, it is frequent to observe bad actors which abuse legitimate file sharing services, but this is the first time Dropbox has been used to store C&C settings as part of a targeted attack.

The PlugX instances analyzed by by researchers at Trend Micro have, identified as BKDR_PLUGX.ZTBF-A and TROJ_PLUGX.ZTBF-A, implements classic features of any other RAT, it installs a backdoor with that allows an attacker the complete control of compromised machines.

The two types of malware belong to different categories of PlugX, the second one (TROJ_PLUGX.ZTBF-A,) is considered a new version which implements incorporates anti-forensic techniques, an authentication mechanism of the attacker, a different encryption algorithm, extended configuration, and more protocols and functions.

The attackers have used a particular PlugX RAT variant which includes a a triggering mechanism based on the system date to make much more hard malware detection.

“This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents.  We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won’t immediately suspect any malicious activities on their systems.” continues Trend Micro.

Trend Micro notified Dropbox of the targeted attack, but security researchers highlight the fact that the bad actors are simply abusing of the file sharing service not exploiting any vulnerabilities in it.

“Keep in mind, this isn’t a problem with Dropbox per se: it appears these cybercriminals have signed up for legitimate accounts but are using them for malicious ends. There are two takeaways from this. First, cybercriminals recognize the business benefits of cloud services and will likely continue to migrate from self-hosted (or compromised-server-hosted) attacks to cloud services. Second, for CISOs and security managers, it increasingly makes sense to block access to any cloud-based services where there is no legitimate business need.” said Christopher Budd, Trend Micro’s global manager of threat communications, 

Let me close with a final consideration made by experts at Trend Micro on the necessity to use threat intelligence to interrupt the attack chain.

“The publicly available information on indicators of compromise can determine if an enterprise is being hit by targeted attacks. This may be incorporated in their security solutions, thus, breaking the attack cycle and possible data exfiltration from the target enterprise or large organization.”

Pierluigi Paganini

(Security Affairs –  PlugX, malware)