The Chinese cyberthreat group known as “admin@338” has developed a new and potentially serious method of attacking enterprises using a resource that’s probably already in use at your organization.
The delivery system uses application programming interfaces (APIs) from Dropbox to hide the attackers’ command and control functions inside an encrypted service where it can’t be found. The research group at FireEye initially found the malware.
As is the case with many malware examples these days, this attack starts out as a phishing attack, using an infected Word document. When the recipient opens the document, the malware payload opens a session with the attacker’s account on Dropbox.
Once the session starts, the malware sends a file to the Dropbox account containing basic information about the infected computer. The command and control system on the Dropbox account then starts controlling the malware on the infected computer, perhaps searching for specific information, or perhaps loading additional malware.
Right now this specific threat is aimed at media outlets located in Hong Kong in the wake of unrest in that former British colony. However, the admin@338 group primarily attacks Western interests and is likely to begin doing so again. This means that taking precautions now, in advance of any attack against U.S. targets, means you’ll be ready when it happens here, as it certainly will eventually.
According to Nart Villeneuve, a threat intelligence analyst at FireEye, and the author of the report describing the attacks, the threat uses an exploit that takes advantage of an older vulnerability in Microsoft Word (CVE-2012-0158) that was patched about three years ago. The malware creates a back door that communicates with the Dropbox through its APIs, setting up the secure link that uses an HTTPS connection through port 443.
You may have noticed that the malware communicates in exactly the same way as any other Dropbox session and uses exactly the same encryption method. This is what makes it so hard to detect.
While in this particular attack it would appear that someone in China is looking for the names of people or organizations behind the recent unrest in Hong Kong (which is why it’s attacking the media), normally the same group goes after business interests in the United States and elsewhere in the West. Normally, it operates through spear phishing and uses social engineering to convince recipients of emails with infected files to open them.
Clearly the most effective way to fight this malware is to teach employees not to open email attachments, but until you manage to do that, it’s important to protect the endpoints in your network. With the current exploit, even fairly simple antivirus packages should work.
Chinese Hacker Group Uses Dropbox for Malware Command and Control
But there’s no reason to think that an attacker would stick to an old vulnerability. There’s a much greater likelihood that any attack against U.S. interests would use something more sophisticated. This means you will need to be using a more modern approach to endpoint protection rather than simply using the antivirus package you have on hand.
“You’re not going to be able to do everything to protect against this on the wire,” said Craig Young, a cybersecurity researcher for TripWire. “Previously you’d be able to flag traffic going to unknown IP address[es]. But when you’re communicating through cloud services then it gets harder since there are legitimate applications.” Young said that by using Dropbox the attackers are keeping their costs down and also keeping it under the radar.
While it’s possible to prevent attacks such as this by not allowing connections to external public cloud services, it’s unlikely to work for most companies, Young said. The reason is that many companies use those same services for their own operations, which means that blocking access isn’t going to fly.
However, just because you can’t look inside the encrypted Dropbox sessions doesn’t mean it can’t be detected. “You wouldn’t be able to detect the first state malware at the network level,” Villeneuve said, “but you can detect on the binary itself and you can detect the second stage.”
This is where the new practice of using multiple types of defense is so important. If the malware payload happens to be a zero-day attack that a signature based anti-malware product might miss, you also need behavioral anti-malware products. He added that some advanced anti-malware products also may be able to alert on the creation of the back door, even if they can’t look inside the encrypted link itself.
Villeneuve said that the type of targets being attacked by admin@338 makes him suspect that the government of China is behind the attacks, but he also noted that he doesn’t have the evidence he needs to say this with a high degree of confidence.
Regardless of whether the government of China is behind these attacks, you’re now warned that this new method of using cloud service APIs to attack you is coming. The good news in this particular case is that the folks at FireEye and those at Dropbox collaborated to shut down this particular set of hackers, at least for now.
But now that they have successfully used one cloud service, they know they can use many more such services, and aim all of them at you. This is the time to beef up your protection, and start learning how you can provide defense in depth.