Chinese Hacker Group Uses Dropbox for Malware Command and Control

NEWS ANALYSIS: The current malware threat isn't targeting U.S. interests now, but the hacker group could easily turn its attention in that direction as it has in the past.

Dropbox Malware 2

The Chinese cyberthreat group known as "admin@338" has developed a new and potentially serious method of attacking enterprises using a resource that's probably already in use at your organization.

The delivery system uses application programming interfaces (APIs) from Dropbox to hide the attackers' command and control functions inside an encrypted service where it can't be found. The research group at FireEye initially found the malware.

As is the case with many malware examples these days, this attack starts out as a phishing attack, using an infected Word document. When the recipient opens the document, the malware payload opens a session with the attacker's account on Dropbox.

Once the session starts, the malware sends a file to the Dropbox account containing basic information about the infected computer. The command and control system on the Dropbox account then starts controlling the malware on the infected computer, perhaps searching for specific information, or perhaps loading additional malware.

Right now this specific threat is aimed at media outlets located in Hong Kong in the wake of unrest in that former British colony. However, the admin@338 group primarily attacks Western interests and is likely to begin doing so again. This means that taking precautions now, in advance of any attack against U.S. targets, means you'll be ready when it happens here, as it certainly will eventually.

According to Nart Villeneuve, a threat intelligence analyst at FireEye, and the author of the report describing the attacks, the threat uses an exploit that takes advantage of an older vulnerability in Microsoft Word (CVE-2012-0158) that was patched about three years ago. The malware creates a back door that communicates with the Dropbox through its APIs, setting up the secure link that uses an HTTPS connection through port 443.

You may have noticed that the malware communicates in exactly the same way as any other Dropbox session and uses exactly the same encryption method. This is what makes it so hard to detect.

While in this particular attack it would appear that someone in China is looking for the names of people or organizations behind the recent unrest in Hong Kong (which is why it's attacking the media), normally the same group goes after business interests in the United States and elsewhere in the West. Normally, it operates through spear phishing and uses social engineering to convince recipients of emails with infected files to open them.

Clearly the most effective way to fight this malware is to teach employees not to open email attachments, but until you manage to do that, it's important to protect the endpoints in your network. With the current exploit, even fairly simple antivirus packages should work.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...