Security researchers at Trend Micro have spotted for the first time a targeted attack campaign using Dropbox to download and update command and control (C&C) settings.
Threat analyst Maersk Menrige explained in a blog post that the attack, which was discovered in May, used the PlugX remote access tool (RAT) to target the Taiwanese government.
Unlike previously seen targeted attacks, which have used Dropbox in order to host malware itself, “this is the first instance we’ve seen this technique of using Dropbox to update its C&C settings”, he claimed.
“The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents,” he added.
“We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won’t immediately suspect any malicious activities on their systems.”
PlugX is designed to log keystrokes, perform port maps, connect to a URL for its C&C settings and run remote shells to enable further compromise.
The version spotted by Trend Micro this time around was a “type II PlugX variant” which “abuses certain AV products” and features an anti-forensic technique.
The researchers dug deeper into the attack to find out more about the additional “malicious and legitimate” tools used by the threat actors to lift data and avoid being detected.
These included password recovery tools to extract stored passwords, remote admin tools, port scanners, network utility tools, and Htran tools.
“Htran hides the attacker’s source IP by bouncing TCP traffic in connections in different countries,” explained Menrige.
“This is done so that IT administrators cannot easily trace the source IP of threat actors, thus, gaining persistence in the network.”
The PlugX RAT was discovered in 2012, although it has probably been used in attack campaigns dating back to early 2008, according to Trend Micro.