Chinese Hacker Group Uses Dropbox for Malware Command and Control

By Wayne Rash  |  Posted 2015-12-02 Print this article Print
Dropbox Malware

But there's no reason to think that an attacker would stick to an old vulnerability. There's a much greater likelihood that any attack against U.S. interests would use something more sophisticated. This means you will need to be using a more modern approach to endpoint protection rather than simply using the antivirus package you have on hand.

"You're not going to be able to do everything to protect against this on the wire," said Craig Young, a cybersecurity researcher for TripWire. "Previously you'd be able to flag traffic going to unknown IP address[es]. But when you're communicating through cloud services then it gets harder since there are legitimate applications." Young said that by using Dropbox the attackers are keeping their costs down and also keeping it under the radar.

While it's possible to prevent attacks such as this by not allowing connections to external public cloud services, it's unlikely to work for most companies, Young said. The reason is that many companies use those same services for their own operations, which means that blocking access isn't going to fly.

However, just because you can't look inside the encrypted Dropbox sessions doesn't mean it can't be detected. "You wouldn't be able to detect the first state malware at the network level," Villeneuve said, "but you can detect on the binary itself and you can detect the second stage."

This is where the new practice of using multiple types of defense is so important. If the malware payload happens to be a zero-day attack that a signature based anti-malware product might miss, you also need behavioral anti-malware products. He added that some advanced anti-malware products also may be able to alert on the creation of the back door, even if they can't look inside the encrypted link itself.

Villeneuve said that the type of targets being attacked by admin@338 makes him suspect that the government of China is behind the attacks, but he also noted that he doesn't have the evidence he needs to say this with a high degree of confidence.

Regardless of whether the government of China is behind these attacks, you're now warned that this new method of using cloud service APIs to attack you is coming. The good news in this particular case is that the folks at FireEye and those at Dropbox collaborated to shut down this particular set of hackers, at least for now.

But now that they have successfully used one cloud service, they know they can use many more such services, and aim all of them at you. This is the time to beef up your protection, and start learning how you can provide defense in depth.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel