Trend Micro analyzed a targeted attack against a Taiwanese government entity which used a variant of the PlugX RAT that abuses the Dropbox service.
Researchers from Trend Micro discovered that a targeted attack against a government agency in Taiwan was conducted using a variant of the PlugX remote access tool (RAT) which abuses the popular file hosting service Dropbox. Security experts have discovered in the last years, many malware based attacks exploiting the popular PlugX, it is very cheap and friendly for attackers that can arrange easily a malicious campaign making hard the attribution of responsibility because the large diffusion of the malicious agent.
Experts at Trend Micro recently detected a variant of PlugX RAT communicating its command and control (C&C) settings from Dropbox, the trick was adopted by attackers to masquerade the malicious traffic and making hard the detection by law enforcement and security firms.
Monitoring network traffic is one of the most used technique to determine if there is an ongoing targeted attack, security experts are able to identify traffic patterns related principal botnet and RATs (e.g. Gh0st, PoisonIvy, Hupigon and PlugX), communication with command-and-control (C&C) are quite easy to detect with this method.
“Last May we encountered a targeted attack that hit a government agency in Taiwan. In the said attack, threat actors used PlugX RAT that abused Dropbox to download its C&C settings. The Dropbox abuse is no longer new since an attack before employed this platform to host the malware. However, this is the first instance we’ve seen this technique of using Dropbox to update its C&C settings in the cases we analyzed related to targeted attacks.” reports Trend Micro official post.
Dropbox is used by personnel of many organizations and government entities, principal defense systems deployed by their security teams in charge of their protection might not flag communications between the PlugX RAT and DropBox folders as an indicator on compromise.